- From: philomathic_life via GitHub <sysbot+gh@w3.org>
- Date: Wed, 23 Oct 2024 20:46:59 +0000
- To: public-webauthn@w3.org
> The RP could snapshot all signCount for all authenticators associated to the user at the time the ceremony began to make that fix work for empty allow lists. That requires the RP server to know the user handle at the beginning of the ceremony which is not always the case. For non-discoverable requests this is always true since the server needs to know the user handle in order to fetch the registered credentials; however for discoverable requests, the server may not know the user handle until the authentication response is sent (i.e., [`AuthenticatorAssertionResponseJSON.userHandle`](https://w3c.github.io/webauthn/#dom-authenticatorassertionresponsejson-userhandle) is received by the server). -- GitHub Notification of comment by zacknewman Please view or discuss this issue at https://github.com/w3c/webauthn/issues/2172#issuecomment-2433428371 using your GitHub account -- Sent via github-notify-ml as configured in https://github.com/w3c/github-notify-ml-config
Received on Wednesday, 23 October 2024 20:47:01 UTC