Contradiction in whether user handle is required

[emlun]

The definition of Public Key Credential Source includes:

[...] A public key credential source has:

• [...]
• An optional user handle for the person who created this credential source.

However the user handle is required in PublicKeyCredentialUserEntity. We should drop the "optional" from the above bullet point.

[Kieun]

U2F authenticator does not store any user identifier (user handle) for credentials. Even though we send a user handle in PublicKeyCredentialUserEntity during registration, the U2F authenticator ignores it when generating a public key credential. So, I think we don't have to drop "optional" for user handle.

[emlun]

The RP is required to provide the user handle when creating a new credential: #558 (comment) So I do think it makes sense to drop "optional" here. U2F devices will ignore it, and as that comment points out they won't be expected to return it since they're always used in 2nd factor mode.

However, I think that also means we need to change authenticatorGetAssertion step 13 and up the stack to include this behaviour.

[Kieun]

Yeah, user handle is required field for generating a credential. But it does not have to be required field to store credentials. Is that make sense that it is optional in the perspective of credential storage for 2nd factor authenticators?

[emlun]

In a way I think it does make some sense: the conceptual credential "has" a user handle, but since the authenticator will never return it it's fine if the authenticator as an implementation detail doesn't store the user handle. But yeah, that could be confusing.

@jyasskin @christiaanbrand @jeffh thoughts on this?

[emlun]

Reopening to track progress on the TODO stated in #558 (comment)

[emlun]

Closing this along with #730.

[emlun]

@akshayku Did we miss something?
EDIT: Never mind, I just saw your messages in #730.