Re: [webauthn] Why was PR #409 (UV bit) merged? from Angelo Liao via GitHub on 2017-04-24 (public-webauthn@w3.org from April 2017)

From: Angelo Liao via GitHub <sysbot+gh@w3.org>
Date: Mon, 24 Apr 2017 23:10:29 +0000
To: public-webauthn@w3.org
Message-ID: <issue_comment.created-296846973-1493075428-sysbot+gh@w3.org>

> i note that his comment on PR #409 was never answered/addressed.

It never addressed because the PR is to the CTAP spec, which is part of FIDO. The CTAP spec is patented so I don't believe I can share it publicly on GitHub. I will follow up with Alexei to share it. But I don't think it matters given that a number of parts of the Web API already predicate the CTAP spec. 

> Second, I don't think this is needed. Why can't you specify what type of user presence/verification check is needed during key (credential) creation? The attestation will tell you what type of key was made by this authenticator and then subsequent signatures coming from that credential will tell you that the UV was enforced.

I am perfectly ok with adding a new optional parameter to help authenticator selection. This just adds an optional bit for developers know whether user verification was performed. I don't know how you would know UV is performed without this bit in. The create method returns clientDataJSON and [attestationObject](https://w3c.github.io/webauthn/#cred-attestation). Neither of which will let the developer knows this. Are you suggesting that the RP can figure this out by looking at AAGUID? That way adds much more work. Plus the AAGUID database is not up-and-running yet. 

Finally, the reason why I merge the PR is because I haven't seen strong objection to the idea of adding this bit but rather editorial changes which are proposed by Jeff and Jeffrey. I have incorporated all the editorial asks by them. Understandably, one sentence may not be optimal per Jeff's comment above. I do apologize for that sentence and I am perfectly happy with opening up a new PR to address this. Finally, we have said on last week's call that if you have an objection, you will review the PR by the end of the week and let us know if you don't think the idea is good. 


-- 
GitHub Notification of comment by AngeloKai
Please view or discuss this issue at https://github.com/w3c/webauthn/issues/424#issuecomment-296846973 using your GitHub account

Received on Monday, 24 April 2017 23:10:35 UTC