- From: =JeffH via GitHub <sysbot+gh@w3.org>
- Date: Mon, 24 Apr 2017 20:56:48 +0000
- To: public-webauthn@w3.org
@leshi wrote: >I really don't think this PR (#409) should have been merged. I tend to agree with @leshi. i note that [his comment](https://github.com/w3c/webauthn/pull/409#issuecomment-295347821) on PR #409 was never answered/addressed. Also, it appears that this sentence was crafted in response to [one of my comments](https://github.com/w3c/webauthn/pull/409#discussion_r112822594) on the PR: > If the authenticator's user verification procedure also obtained a positive [=Test of User Presence] result, the TUP flag would be set as well. ..but that sentence is suboptimal from a spec perspective. It is implying that testing user presence could be different than obtaining user verification. Is it? Or is it always the case that if one has verified the user, you've also verified presence, by definition? also, we should probably be using MUST in the bit 0 & bit 1 descriptions wrt being set. @leshi wrote: > Second, I don't think this is needed. Why can't you specify what type of user presence/verification check is needed during key (credential) creation? Ah, and this would be yet another authenticator attribute RP-driven authenticator selection, further begging the question of having a framework to express and handle that, or continuing to approach it in an ad-hoc manner. See https://github.com/w3c/webauthn/pull/378#pullrequestreview-34141186 > -- GitHub Notification of comment by equalsJeffH Please view or discuss this issue at https://github.com/w3c/webauthn/issues/424#issuecomment-296819990 using your GitHub account
Received on Monday, 24 April 2017 20:56:55 UTC