Relaxing user prompt requirements in certain cases

Relaxing the requirement to prompt the user on key creation *if* the authenticator is built-in *and* the RP didn't supply an excludeList of credentials.
w3c · Oct 11, 2017 · 9598e1d · 9598e1d
1 parent 1674caa
commit 9598e1d
Showing 1 changed file with 2 additions and 1 deletion.
diff --git a/index.bs b/index.bs
@@ -1710,7 +1710,8 @@ When this operation is invoked, the authenticator must perform the following pro
     return an error code equivalent to "{{ConstraintError}}" and terminate the operation.
 1. Prompt the user for consent to create a new credential. The prompt for obtaining this consent is shown by the authenticator
     if it has its own output capability, or by the user agent otherwise. If the user denies consent, return an error code
-    equivalent to "{{NotAllowedError}}" and terminate the operation.
+    equivalent to "{{NotAllowedError}}" and terminate the operation. The Authenticator and user agent MAY skip this prompt
+    if the Authenticator is a [=platform authenticator=] and |excludeCredentialDescriptorList| is empty.
 1. Once user consent has been obtained, generate a new credential object:
     1. Generate a set of cryptographic keys using the most preferred combination of {{PublicKeyCredentialType}} and cryptographic
         parameters supported by this authenticator.