Re: [webauthn] How to guarantee created resident key is actually received by RP in adverse networking conditions? (#2038) from Arian van Putten via GitHub on 2024-03-27 (public-webauthn@w3.org from March 2024)

From: Arian van Putten via GitHub <sysbot+gh@w3.org>
Date: Wed, 27 Mar 2024 00:38:28 +0000
To: public-webauthn@w3.org
Message-ID: <issue_comment.created-2021714929-1711499907-sysbot+gh@w3.org>

The spec currently reads

> excludeCredentialDescriptorList
An OPTIONAL list of [PublicKeyCredentialDescriptor](https://w3c.github.io/webauthn/#dictdef-publickeycredentialdescriptor) objects provided by the [Relying Party](https://w3c.github.io/webauthn/#relying-party) with the intention that, if any of these are known to the authenticator, it SHOULD NOT create a new credential. excludeCredentialDescriptorList contains a list of known credentials.


Which gives the illusion that implementing excludeCredentials is optional.

Given that this overrides discoverable credentials that can lead to user lockout I think we should change the wording to SHALL NOT or MUST NOT.
 
We should also make it clear that  calling create without excludeCredentials can lead to lockout. Calling this an OPTIONAL list is maybe a bit too weak too?

-- 
GitHub Notification of comment by arianvp
Please view or discuss this issue at https://github.com/w3c/webauthn/issues/2038#issuecomment-2021714929 using your GitHub account


-- 
Sent via github-notify-ml as configured in https://github.com/w3c/github-notify-ml-config

Received on Wednesday, 27 March 2024 00:38:29 UTC