Re: [webauthn] "The user handle MUST NOT be empty, though it MAY be null" - but only in responses? (#1598) from Matthew Miller via GitHub on 2021-04-21 (public-webauthn@w3.org from April 2021)

From: Matthew Miller via GitHub <sysbot+gh@w3.org>
Date: Wed, 21 Apr 2021 19:43:25 +0000
To: public-webauthn@w3.org
Message-ID: <issue_comment.created-824310662-1619034204-sysbot+gh@w3.org>

The thought came to me that, during attestation, if `user.id` is null while `authenticatorSelection.residentKey` is set to `"required"`, [`authenticatorMakeCredential`](https://www.w3.org/TR/2021/REC-webauthn-2-20210408/#sctn-op-make-cred) may fail in step 7.4.4 when the authenticator attempts to store `credentialSource` in `rp.id, userHandle`:

> 4. If requireResidentKey is true or the authenticator chooses to create a client-side discoverable public key credential source:
>     1. Let credentialId be a new credential id.
>     2. Set credentialSource.id to credentialId.
>     3. Let credentials be this authenticator’s credentials map.
>     4. **Set credentials[(rpEntity.id, userHandle)] to credentialSource.**

Is this a legitimate issue if `user.id` is allowed to remain nullable?

-- 
GitHub Notification of comment by MasterKale
Please view or discuss this issue at https://github.com/w3c/webauthn/issues/1598#issuecomment-824310662 using your GitHub account


-- 
Sent via github-notify-ml as configured in https://github.com/w3c/github-notify-ml-config

Received on Wednesday, 21 April 2021 19:43:27 UTC