W3C home > Mailing lists > Public > public-webauthn@w3.org > November 2017

[webauthn] Pull Request: Fix #644: Add UV parameter to getAssertion

From: Emil Lundberg via GitHub <sysbot+gh@w3.org>
Date: Mon, 06 Nov 2017 13:03:12 +0000
To: public-webauthn@w3.org
Message-ID: <pull_request.opened-150847119-1509973390-sysbot+gh@w3.org>
emlun has just submitted a new pull request for https://github.com/w3c/webauthn:

== Fix #644: Add UV parameter to getAssertion ==
This resolves #644, and possibly #524 and #645.

Summary:

- The definition of "user present" now states that if the user is "verified" they are also "present". Background: #629
- A UV parameter has been added to `PublicKeyCredentialRequestOptions`.
- A Boolean UV parameter is now passed to `authenticatorGetAssertion()`.
- The type of the UV parameter has changed from Boolean to `UserVerificationRequirement`.
  - Background: #644, #629.
  - This is orthogonal to the previous two points. The commits are a bit tangled, but can be untangled if this needs to be reverted.
  - The enum type `UserVerificationRequirement` has been added, with values `required`, `wanted` and `not-wanted`.
  - The type of the member `requireUserVerification` of `AuthenticatorSelectionCriteria` has changed from Boolean to `UserVerificationRequirement`.
  - A member `requireUserVerification` of type `UserVerificationRequirement` has been added to `PublicKeyCredentialRequestOptions`.
  - This value is used by the client operations to compute a Boolean value to pass to the authenticator operations.
- Authenticator operations are now specified to always require UP or UV. This was already stated in prose in [ยง5.1.4 Use an existing credential to make an assertion][get-assertion], but not in the algorithms:

  >Since this specification requires an authorization gesture to create any credentials, [...]

  Silent authenticator operations has also raised objections (#629, #644), so we should state this requirement clearly until it's decided to support silent operations. This probably breaks compatibility with UAF Silent Authenticators (see https://github.com/w3c/webauthn/issues/199#issuecomment-341576776).
- CTAP compatibility should not be affected by any of the above. If it is, that's a bug.

[get-assertion]: https://w3c.github.io/webauthn/#getAssertion

See https://github.com/w3c/webauthn/pull/672
Received on Monday, 6 November 2017 13:04:05 UTC

This archive was generated by hypermail 2.4.0 : Friday, 17 January 2020 18:58:43 UTC