[webauthn] Clarify relationship of UP/UV flags in authenticator data structure from Emil Lundberg via GitHub on 2018-11-12 (public-webauthn@w3.org from November 2018)

From: Emil Lundberg via GitHub <sysbot+gh@w3.org>
Date: Mon, 12 Nov 2018 13:30:48 +0000
To: public-webauthn@w3.org
Message-ID: <issues.opened-379777578-1542029447-sysbot+gh@w3.org>

emlun has just created a new issue for https://github.com/w3c/webauthn:

== Clarify relationship of UP/UV flags in authenticator data structure ==
@jericks-duo writes in #1108:

> The User Presence (UP) and User Verification (UV) flags in the authenticator data structure (https://www.w3.org/TR/webauthn/#sec-authenticator-data) appear to have a similar purpose to the requireUserPresence and requireUserVerification input parameter booleans in the authenticatorMakeCredential operation. The requireUserPresence and requireUserVerification booleans are explicitly mutually exclusive -- if one is set the other must be unset. My understanding, after discussing the use case for the UP/UV flags, is that both MAY be set (i.e. not mutually exclusive). 
> 
> Example: The relying party may specify that user presence is required, but the authenticator may physically perform a user verification operation. In this case, the relying party may end up checking the UP flag and not the UV flag, so it seems like the authenticator should set both flags, not just the UV flag.
> 
> Just wanted to clarify this in the doc as there may be the potential for confusion during implementation. Or alternately, if there is a reason they should be mutually exclusive, the spec should probably specify that.

Please view or discuss this issue at https://github.com/w3c/webauthn/issues/1112 using your GitHub account

Received on Monday, 12 November 2018 13:30:49 UTC