[webauthn] "The user handle MUST NOT be empty, though it MAY be null" - but only in responses? (#1598) from Emil Lundberg via GitHub on 2021-04-21 (public-webauthn@w3.org from April 2021)

From: Emil Lundberg via GitHub <sysbot+gh@w3.org>
Date: Wed, 21 Apr 2021 17:13:24 +0000
To: public-webauthn@w3.org
Message-ID: <issues.opened-864099267-1619025203-sysbot+gh@w3.org>

emlun has just created a new issue for https://github.com/w3c/webauthn:

== "The user handle MUST NOT be empty, though it MAY be null" - but only in responses? ==
In [§5.4.3 User Account Parameters for Credential Generation (dictionary PublicKeyCredentialUserEntity)](https://www.w3.org/TR/2021/REC-webauthn-2-20210408/#dom-publickeycredentialuserentity-id), the description of the `id` attribute reads:

>[...] The user handle MUST NOT be empty, though it MAY be null.

However the definition of the same attribute marks it `required`, and Chrome 89 returns an error if you attempt to set it to null in a `navigator.credentials.create()` call.

I think this was supposed to mean that the user handle _parameter_ [`publicKey.user.id`](https://www.w3.org/TR/2021/REC-webauthn-2-20210408/#dom-publickeycredentialuserentity-id) MUST NOT be empty and MUST NOT be null, but the user handle _return value_ [`PublicKeyCredential.response.userHandle`](https://www.w3.org/TR/2021/REC-webauthn-2-20210408/#dom-authenticatorassertionresponse-userhandle) MAY be null (for example when using a U2F authenticator or a non-discoverable credential). Is that right?

Please view or discuss this issue at https://github.com/w3c/webauthn/issues/1598 using your GitHub account


-- 
Sent via github-notify-ml as configured in https://github.com/w3c/github-notify-ml-config

Received on Wednesday, 21 April 2021 17:13:33 UTC