Re: [webauthn] Better specify what an unknown type credential descriptor being ignored means (#1748) from Emil Lundberg via GitHub on 2022-06-20 (public-webauthn@w3.org from June 2022)

From: Emil Lundberg via GitHub <sysbot+gh@w3.org>
Date: Mon, 20 Jun 2022 19:15:33 +0000
To: public-webauthn@w3.org
Message-ID: <issue_comment.created-1160767740-1655752531-sysbot+gh@w3.org>

Interesting point. I agree that implicitly falling back to behaving as if `allowCredentials` were empty is clearly not what the RP intended, since that entails username-less authentication, but I also think that similar to #1738, ignoring unknown values is needed for forward compatibility.

Maybe we can change the requirement to be that "[client platforms](https://w3c.github.io/webauthn/#client-platform) MUST ignore any [PublicKeyCredentialDescriptor](https://w3c.github.io/webauthn/#dictdef-publickeycredentialdescriptor) with an unknown [type](https://w3c.github.io/webauthn/#dom-publickeycredentialdescriptor-type), treating the item as if it was not present" ***but*** if this results in an empty `allowCredentials`, then throw an error? In that case we would need to move the requirement from the `PublicKeyCredentialDescriptor` definition to the definitions of `excludeCredentials` and `allowCredentials` (and/or maybe the `create()` and `get()` operations).

-- 
GitHub Notification of comment by emlun
Please view or discuss this issue at https://github.com/w3c/webauthn/issues/1748#issuecomment-1160767740 using your GitHub account


-- 
Sent via github-notify-ml as configured in https://github.com/w3c/github-notify-ml-config

Received on Monday, 20 June 2022 19:15:34 UTC