[webauthn] Pull Request: Fix #644: Add UV parameter to getAssertion from Emil Lundberg via GitHub on 2017-11-06 (public-webauthn@w3.org from November 2017)

From: Emil Lundberg via GitHub <sysbot+gh@w3.org>
Date: Mon, 06 Nov 2017 13:03:12 +0000
To: public-webauthn@w3.org
Message-ID: <pull_request.opened-150847119-1509973390-sysbot+gh@w3.org>

emlun has just submitted a new pull request for https://github.com/w3c/webauthn:

== Fix #644: Add UV parameter to getAssertion ==
This resolves #644, and possibly #524 and #645.

Summary:

- The definition of "user present" now states that if the user is "verified" they are also "present". Background: #629
- A UV parameter has been added to `PublicKeyCredentialRequestOptions`.
- A Boolean UV parameter is now passed to `authenticatorGetAssertion()`.
- The type of the UV parameter has changed from Boolean to `UserVerificationRequirement`.
- Background: #644, #629.
- This is orthogonal to the previous two points. The commits are a bit tangled, but can be untangled if this needs to be reverted.
- The enum type `UserVerificationRequirement` has been added, with values `required`, `wanted` and `not-wanted`.
- The type of the member `requireUserVerification` of `AuthenticatorSelectionCriteria` has changed from Boolean to `UserVerificationRequirement`.
- A member `requireUserVerification` of type `UserVerificationRequirement` has been added to `PublicKeyCredentialRequestOptions`.
- This value is used by the client operations to compute a Boolean value to pass to the authenticator operations.
- Authenticator operations are now specified to always require UP or UV. This was already stated in prose in [§5.1.4 Use an existing credential to make an assertion][get-assertion], but not in the algorithms:

>Since this specification requires an authorization gesture to create any credentials, [...]

Silent authenticator operations has also raised objections (#629, #644), so we should state this requirement clearly until it's decided to support silent operations. This probably breaks compatibility with UAF Silent Authenticators (see https://github.com/w3c/webauthn/issues/199#issuecomment-341576776).
- CTAP compatibility should not be affected by any of the above. If it is, that's a bug.

[get-assertion]: https://w3c.github.io/webauthn/#getAssertion

See https://github.com/w3c/webauthn/pull/672

Received on Monday, 6 November 2017 13:04:05 UTC