RE: [webauthn] Add Test of User Identity (TUI) bit to authenticator data from Angelo Liao on 2017-04-20 (public-webauthn@w3.org from April 2017)

From: Angelo Liao <huliao@microsoft.com>
Date: Thu, 20 Apr 2017 18:08:09 +0000
To: Jakob Ehrensvard <jakob@yubico.com>, Jeffrey Yasskin via GitHub <sysbot+gh@w3.org>, "Hodges, Jeff" <jeff.hodges@paypal.com>
CC: W3C WebAuthn WG <public-webauthn@w3.org>
Message-ID: <BN6PR03MB2769ECB051B13C591934B369D71B0@BN6PR03MB2769.namprd03.prod.outlook.com>

I can think of two other names possible for this: Test of User Identification (TUI) and Test of User Recognition (TUR). How does everyone like those two names? 

-----Original Message-----
From: Jakob Ehrensvärd [mailto:jakob@yubico.com] 
Sent: Thursday, April 20, 2017 1:43 AM
To: Jeffrey Yasskin via GitHub <sysbot+gh@w3.org>
Cc: W3C WebAuthn WG <public-webauthn@w3.org>
Subject: Re: [webauthn] Add Test of User Identity (TUI) bit to authenticator data

The term "user presence" as defined in U2F requires a user gesture (physical interaction) with the authenticator for each event. The gesture does not have to identify a particular user, but rater to assure that a physical interaction has been made.

The "new" term TUI is proposed to tell the RP that additional means has been provided by the platform and/or authenticator that a gesture that identifies a particular user. This can in its simplest form be a cached PIN that is provided by the platform to the authenticator, where it's verified and does therefore not necessarily a physical interaction. In the case of an authenticator with a built-in means of verifying, say a fingerprint at each interaction, then both the TUI and TUP will be set.

I do agree that this ambiguity should be resolved and further described.

Jakob Ehrensvard
CTO
Skype: jehrensvard
US mobile: +1 650-283-1537
SE mobile: +46 (0) 708 24 63 53

http://www.yubico.com

On Wed, Apr 19, 2017 at 6:03 PM, Jeffrey Yasskin via GitHub <sysbot+gh@w3.org> wrote:
> 2¢: both "user verification" and "user presence" are ambiguous when 
> read as
> English: do they verify that any user is present or that a particular 
> user is present?
>
> Despite @equalsJeffH' correct point that the API can't return anything 
> about the RP's notion of identity, I think this bit really is asking 
> the authenticator to return something about *its* notion of user 
> identity, and so that may be the right word to use.
>
> --
> GitHub Notification of comment by jyasskin Please view or discuss this 
> issue at
> https://github.com/w3c/webauthn/pull/409#issuecomment-295522889 using 
> your GitHub account
>

Received on Thursday, 20 April 2017 18:08:47 UTC