- From: Shane Weeden via GitHub <sysbot+gh@w3.org>
- Date: Tue, 27 Jun 2023 02:45:57 +0000
- To: public-webauthn@w3.org
I wasn't setting out to make that connection, but it is potentially related. Perhaps the best way to look at my concern is to ask this question: Why *should* the userHandle be passed back to the RP during assertion flows? What practical/valuable purpose does that serve? The purpose I've heard that makes sense is from @emlun, who suggested it could be preferred by the RP as an index into user accounts since the RP generates it rather than the authenticator. The alternative is to use RPID+CredentialID as the lookup index, however in thinking about this more, what would happen if two different authenticators generated the same CredentialID for the RP - unlikely, but isn't that still possible? This would make such lookup non-deterministic, and may even result in a registration failure if the RP is enforcing such uniqueness. The more I think about it, the more I like what we already have in the L3 draft, with the possible addition of the description that the userHandle also allows the authenticator to recognize when to replace a discoverable credential during creation. -- GitHub Notification of comment by sbweeden Please view or discuss this issue at https://github.com/w3c/webauthn/issues/1909#issuecomment-1608648459 using your GitHub account -- Sent via github-notify-ml as configured in https://github.com/w3c/github-notify-ml-config
Received on Tuesday, 27 June 2023 02:45:59 UTC