Re: [webauthn] Require non-null userHandle when allowCredentials is empty? (#1892)

> What Christiaan means is that the credential ID is chosen by the authenticator, not the RP. The authenticator is the "external system with limited context", not the RP. So if the credential ID is the only identifier the RP can use to look up a credential, then the RP is not in control of that primary lookup index.

I still don't get what exactly the problem is. Regardless of how you look up the credential record, you have to verify credentialId. I would argue that look up by credentialId, which is unique, is better from the performance perspective.

Although RP doesn't generate credentialId, it inserts it in its database and checks the integrity. It has the ultimate say about credentialId and the credential record. From that perspective it is "in control of that primary lookup index".

-- 
GitHub Notification of comment by ndpar
Please view or discuss this issue at https://github.com/w3c/webauthn/issues/1892#issuecomment-1553131278 using your GitHub account


-- 
Sent via github-notify-ml as configured in https://github.com/w3c/github-notify-ml-config

Received on Thursday, 18 May 2023 14:17:56 UTC