- From: Jakob Ehrensvärd <jakob@yubico.com>
- Date: Mon, 24 Apr 2017 18:29:03 -0700
- To: Alexei Czeskis via GitHub <sysbot+gh@w3.org>
- Cc: W3C WebAuthn WG <public-webauthn@w3.org>
Not saying it has to be the way it's proposed, but let me give some background how this has been discussed before we put it in print: Just like with TUP (or UP) - this checking may actually be optional so the RP cannot make implicit assumptions if in fact UV has been verified by the authenticator. If the platform can control if UV shall be verified by the authenticator, the actual verification status needs to be within the signed envelope. The initial approach was to use the UVM extension for this purpose, but as the general consensus around extensions and how the platforms would handle them faded away, we felt that this should probably be a part of the core response. Burning one single bit here should not be that bad as it becomes a 'catch all' for any means of UV verification by the authenticator. We briefly considered adding more bits, potentially revealing what kind of UV was performed, but this quickly spins out of control. I believe that part can be statically resolved based on the AAGUID. Jakob Ehrensvard CTO Skype: jehrensvard US mobile: +1 650-283-1537 SE mobile: +46 (0) 708 24 63 53 http://www.yubico.com On Mon, Apr 24, 2017 at 4:27 PM, Alexei Czeskis via GitHub <sysbot+gh@w3.org> wrote: > I'm saying that I would like to be very cautions about burning those bits, > there are only 7 of them left -- there are other ways of expressing this > like putting it in the attestation or as an extension. > > -- > GitHub Notification of comment by leshi > Please view or discuss this issue at > https://github.com/w3c/webauthn/issues/424#issuecomment-296849425 using your > GitHub account >
Received on Tuesday, 25 April 2017 01:30:51 UTC