Closed geofli closed 6 years ago
yackermann
commented
6 years ago If the excludeList parameter is present and contains a credential ID that is present on this authenticator and bound to the specified rpId, wait for user presence, then terminate this procedure and return error code CTAP2_ERR_CREDENTIAL_EXCLUDED. User presence check is required for CTAP2 authenticators before the RP gets told that the token is already registered to behave similarly to CTAP1/U2F authenticators.
geofli
commented
6 years ago Yuriy, your quote is not the same situation with the test case. In your test, you first register a user A, then register a user B with "excludeList" that contains A's ID and expect an error code.
While we think this should not happen otherwise one authenticator can not register multiple users on one RP.
your quoted statement of the SPEC is specific to limit the creation of multiple credentials for the same account on a single authenticator.
yackermann
commented
6 years ago @Geoffrey-Li So consider a situation:
User registers authenticator on example.com. Then user tries to register another authenticator. In that situation RP generates "excludeList" that contains credId associated with that rpId. The clients send this requests to all authenticators, and if the authenticator recognises credential, it must exclude it so that user won't double register the same authenticator
What protocol and version of the protocol are you testing?
FIDO2 v2.0
What is your implementation class?
ASM+Authr
What is the version of the tool are you using?
fido2-conformance-module : v0.10.106
What is the OS and the version are you running?
WIN10 (17134)
Issue description
Case: Authr-MakeCred-Req-5 Test: F7 Description: The tese case requires to return an error CTAP2_ERR_CREDENTIAL_EXCLUDED when send CTAP2 authenticatorMakeCredential(0x01) message, with "excludeList" that contains "PublicKeyCredentialDescriptor" with "id" set to the ID of the previously registered authenticator.
But we think under current credentialID, the the previously registered credentialID is considered as invalid id. This solution is much more secure and precise.