W3C home > Mailing lists > Public > public-webauthn@w3.org > March 2021

[webauthn] Inconsistent RP directions for handling credential transports (#1587)

From: Emil Lundberg via GitHub <sysbot+gh@w3.org>
Date: Sun, 21 Mar 2021 18:21:51 +0000
To: public-webauthn@w3.org
Message-ID: <issues.opened-837147903-1616350911-sysbot+gh@w3.org>
emlun has just created a new issue for https://github.com/w3c/webauthn:

== Inconsistent RP directions for handling credential transports ==
The definition of [`AuthenticatorAttestationResponse.getTransports()`](https://www.w3.org/TR/2021/PR-webauthn-2-20210225/#dom-authenticatorattestationresponse-transports-slot) reads:

>[...] The values SHOULD be members of AuthenticatorTransport but Relying Parties MUST ignore unknown values.

However [ยง7.1. Registering a New Credential, step 23](https://www.w3.org/TR/2021/PR-webauthn-2-20210225/#ref-for-dom-authenticatorattestationresponse-gettransports%E2%91%A3) reads (emphasis added):

>[...]
>It is RECOMMENDED to also:
>- Associate the credentialId with the transport hints returned by calling credential.response.getTransports(). **This value SHOULD NOT be modified** before or after storing it. [...]

These directions seem to be in conflict, and I think the latter is more correct. The transports value is primarily for the client to consume while the RP just needs to echo it back later, so the RP shouldn't need to care about what it contains. So I think we should edit the former to read:

>The values SHOULD be members of AuthenticatorTransport but Relying Parties MUST accept unknown values.

or perhaps:

>The values SHOULD be members of AuthenticatorTransport but Relying Parties SHOULD accept unknown values.

Please view or discuss this issue at https://github.com/w3c/webauthn/issues/1587 using your GitHub account


-- 
Sent via github-notify-ml as configured in https://github.com/w3c/github-notify-ml-config
Received on Sunday, 21 March 2021 18:21:53 UTC

This archive was generated by hypermail 2.4.0 : Tuesday, 5 July 2022 07:26:43 UTC