Re: [webauthn] Address description of uses, and requirements for supplying userHandle (#1914) from Shane Weeden via GitHub on 2023-08-16 (public-webauthn@w3.org from August 2023)

From: Shane Weeden via GitHub <sysbot+gh@w3.org>
Date: Wed, 16 Aug 2023 18:26:59 +0000
To: public-webauthn@w3.org
Message-ID: <issue_comment.created-1681086310-1692210417-sysbot+gh@w3.org>

This was discussed again on call of 16 August 2023, and general consensus was that browser vendors seem unlikely to change current implementations to enforce that assertions from an authenticator be rejected if userHandle is not supplied during ceremonies without an allowCredentials list. That said, it is desirable that the spec be internally consistent. Even without browser implementation changes, RPs would still reject these assertions since section 7 already required the RP to verify the userHandle in such cases. This PR makes the spec consistent and the decision was made to merge the PR. 

-- 
GitHub Notification of comment by sbweeden
Please view or discuss this issue at https://github.com/w3c/webauthn/pull/1914#issuecomment-1681086310 using your GitHub account


-- 
Sent via github-notify-ml as configured in https://github.com/w3c/github-notify-ml-config

Received on Wednesday, 16 August 2023 18:27:02 UTC