[webauthn] Why was PR #409 (UV bit) merged? from Alexei Czeskis via GitHub on 2017-04-24 (public-webauthn@w3.org from April 2017)

From: Alexei Czeskis via GitHub <sysbot+gh@w3.org>
Date: Mon, 24 Apr 2017 19:58:10 +0000
To: public-webauthn@w3.org
Message-ID: <issues.opened-223933504-1493063889-sysbot+gh@w3.org>

leshi has just created a new issue for https://github.com/w3c/webauthn:

== Why was PR #409 (UV bit) merged? ==
Hi all,

I really don't think this PR should have been merged.

First, the corresponding PR in CTAP has not been merged or is it not a dependency?

Second, I don't think this is needed.  Why can't you specify what type of user presence/verification check is needed during key (credential) creation?  The attestation will tell you what type of key was made by this authenticator and then subsequent signatures coming from that credential will tell you that the UV was enforced.

Please view or discuss this issue at https://github.com/w3c/webauthn/issues/424 using your GitHub account

Received on Monday, 24 April 2017 19:58:20 UTC