- From: Shane Weeden via GitHub <sysbot+gh@w3.org>
- Date: Tue, 27 Jun 2023 01:56:15 +0000
- To: public-webauthn@w3.org
I realise after writing this that I was originally still looking at an [old definition of step 6 of section 7.2](https://www.w3.org/TR/webauthn-3/#sctn-verifying-assertion) and that under the new definition of that step the userHandle can be used to lookup an account then it is required that the credentialID also be matched to that account, which is ok. I do have some lingering concerns over allowing the user/client to initiate account lookups based on an injected userHandle, but don't have a concrete reason as to why that's a terrible thing to do just yet. -- GitHub Notification of comment by sbweeden Please view or discuss this issue at https://github.com/w3c/webauthn/issues/1909#issuecomment-1608587142 using your GitHub account -- Sent via github-notify-ml as configured in https://github.com/w3c/github-notify-ml-config
Received on Tuesday, 27 June 2023 01:56:17 UTC