- From: Ki-Eun Shin via GitHub <sysbot+gh@w3.org>
- Date: Tue, 27 Jun 2023 04:56:09 +0000
- To: public-webauthn@w3.org
> The alternative is to use RPID+CredentialID as the lookup index, however in thinking about this more, what would happen if two different authenticators generated the same CredentialID for the RP (for different users) - unlikely, but isn't that still possible? When registering a new credential in the storage, RP needs to check whether the credential id is duplicated or not, if it is duplicated, the RP SHOULD reject registration with the credential Ids. See step 25 in [Registering a New Credential section](https://w3c.github.io/webauthn/#sctn-registering-a-new-credential). > Verify that the [credentialId](https://w3c.github.io/webauthn/#authdata-attestedcredentialdata-credentialid) is not yet registered for any user. If the [credentialId](https://w3c.github.io/webauthn/#authdata-attestedcredentialdata-credentialid) is already known then the [Relying Party](https://w3c.github.io/webauthn/#relying-party) SHOULD fail this [registration ceremony](https://w3c.github.io/webauthn/#registration-ceremony). The spec does not mandate for RPs to reject such duplicated credential Ids, so, if the RP policy does accept the duplicated credential id among different user accounts and without `userHandle`, the RP cannot identify the credential owners if any other user has a credential with same credential id. -- GitHub Notification of comment by Kieun Please view or discuss this issue at https://github.com/w3c/webauthn/issues/1909#issuecomment-1608796406 using your GitHub account -- Sent via github-notify-ml as configured in https://github.com/w3c/github-notify-ml-config
Received on Tuesday, 27 June 2023 04:56:11 UTC