- From: Arian van Putten via GitHub <sysbot+gh@w3.org>
- Date: Wed, 27 Mar 2024 00:38:28 +0000
- To: public-webauthn@w3.org
The spec currently reads > excludeCredentialDescriptorList An OPTIONAL list of [PublicKeyCredentialDescriptor](https://w3c.github.io/webauthn/#dictdef-publickeycredentialdescriptor) objects provided by the [Relying Party](https://w3c.github.io/webauthn/#relying-party) with the intention that, if any of these are known to the authenticator, it SHOULD NOT create a new credential. excludeCredentialDescriptorList contains a list of known credentials. Which gives the illusion that implementing excludeCredentials is optional. Given that this overrides discoverable credentials that can lead to user lockout I think we should change the wording to SHALL NOT or MUST NOT. We should also make it clear that calling create without excludeCredentials can lead to lockout. Calling this an OPTIONAL list is maybe a bit too weak too? -- GitHub Notification of comment by arianvp Please view or discuss this issue at https://github.com/w3c/webauthn/issues/2038#issuecomment-2021714929 using your GitHub account -- Sent via github-notify-ml as configured in https://github.com/w3c/github-notify-ml-config
Received on Wednesday, 27 March 2024 00:38:29 UTC