Re: [webauthn] Require non-null userHandle when allowCredentials is empty? (#1892) from Emil Lundberg via GitHub on 2023-05-17 (public-webauthn@w3.org from May 2023)

From: Emil Lundberg via GitHub <sysbot+gh@w3.org>
Date: Wed, 17 May 2023 19:17:13 +0000
To: public-webauthn@w3.org
Message-ID: <issue_comment.created-1551927104-1684351031-sysbot+gh@w3.org>

What Christiaan means is that the credential ID is chosen by the authenticator, not the RP. The authenticator is the "external system with limited context", not the RP. So if the credential ID is the only identifier the RP can use to look up a credential, then the RP is not in control of that primary lookup index.

-- 
GitHub Notification of comment by emlun
Please view or discuss this issue at https://github.com/w3c/webauthn/issues/1892#issuecomment-1551927104 using your GitHub account


-- 
Sent via github-notify-ml as configured in https://github.com/w3c/github-notify-ml-config

Received on Wednesday, 17 May 2023 19:17:15 UTC