[webauthn] Inconsistent RP directions for handling credential transports (#1587)

emlun has just created a new issue for https://github.com/w3c/webauthn:

== Inconsistent RP directions for handling credential transports ==
The definition of [`AuthenticatorAttestationResponse.getTransports()`](https://www.w3.org/TR/2021/PR-webauthn-2-20210225/#dom-authenticatorattestationresponse-transports-slot) reads:

>[...] The values SHOULD be members of AuthenticatorTransport but Relying Parties MUST ignore unknown values.

However [ยง7.1. Registering a New Credential, step 23](https://www.w3.org/TR/2021/PR-webauthn-2-20210225/#ref-for-dom-authenticatorattestationresponse-gettransports%E2%91%A3) reads (emphasis added):

>[...]
>It is RECOMMENDED to also:
>- Associate the credentialId with the transport hints returned by calling credential.response.getTransports(). **This value SHOULD NOT be modified** before or after storing it. [...]

These directions seem to be in conflict, and I think the latter is more correct. The transports value is primarily for the client to consume while the RP just needs to echo it back later, so the RP shouldn't need to care about what it contains. So I think we should edit the former to read:

>The values SHOULD be members of AuthenticatorTransport but Relying Parties MUST accept unknown values.

or perhaps:

>The values SHOULD be members of AuthenticatorTransport but Relying Parties SHOULD accept unknown values.

Please view or discuss this issue at https://github.com/w3c/webauthn/issues/1587 using your GitHub account


-- 
Sent via github-notify-ml as configured in https://github.com/w3c/github-notify-ml-config

Received on Sunday, 21 March 2021 18:21:53 UTC