- From: Jakob Ehrensvärd <jakob@yubico.com>
- Date: Thu, 20 Apr 2017 01:42:44 -0700
- To: Jeffrey Yasskin via GitHub <sysbot+gh@w3.org>
- Cc: W3C WebAuthn WG <public-webauthn@w3.org>
The term "user presence" as defined in U2F requires a user gesture (physical interaction) with the authenticator for each event. The gesture does not have to identify a particular user, but rater to assure that a physical interaction has been made. The "new" term TUI is proposed to tell the RP that additional means has been provided by the platform and/or authenticator that a gesture that identifies a particular user. This can in its simplest form be a cached PIN that is provided by the platform to the authenticator, where it's verified and does therefore not necessarily a physical interaction. In the case of an authenticator with a built-in means of verifying, say a fingerprint at each interaction, then both the TUI and TUP will be set. I do agree that this ambiguity should be resolved and further described. Jakob Ehrensvard CTO Skype: jehrensvard US mobile: +1 650-283-1537 SE mobile: +46 (0) 708 24 63 53 http://www.yubico.com On Wed, Apr 19, 2017 at 6:03 PM, Jeffrey Yasskin via GitHub <sysbot+gh@w3.org> wrote: > 2¢: both "user verification" and "user presence" are ambiguous when read as > English: do they verify that any user is present or that a particular user > is present? > > Despite @equalsJeffH' correct point that the API can't return anything about > the RP's notion of identity, I think this bit really is asking the > authenticator to return something about *its* notion of user identity, and > so that may be the right word to use. > > -- > GitHub Notification of comment by jyasskin > Please view or discuss this issue at > https://github.com/w3c/webauthn/pull/409#issuecomment-295522889 using your > GitHub account >
Received on Thursday, 20 April 2017 08:47:34 UTC