- From: Emil Lundberg via GitHub <sysbot+gh@w3.org>
- Date: Fri, 13 Oct 2017 23:18:12 +0000
- To: public-webauthn@w3.org
See, this is why I wanted to eliminate the double negation: you and I interpreted it in different ways. :)
- I read "`UVNotRequired` defaults to `false`" as "by default, the RP requires UV".
- You seem to read "`UVNotRequired` defaults to `false`" as "by default, the RP will decide after receiving the signature whether it requires UV".
But you're right, both proposals are confusing since we're not actually talking about a boolean parameter, it's a true/false/maybe parameter ("maybe" if not explicitly set).
Either way, having thought a bit more about this: it would make for a bad user experience to go through the ceremony with everything seemingly going all right until the RP rejects the signature right at the end. In that case the RP evidently _does_ require user verification - it doesn't matter what authenticators the user has available, so it's just frustrating for the user if the RP pretends otherwise. Especially if the user has one authenticator capable of UV and one not, and chooses to use the one incapable because the RP didn't indicate that it requires UV. It's just plain better to announce it up front. And in that case I think it's better to go with `UVRequired` which if `true` indicates that the RP requires UV and if `false` or missing indicates the RP accepts signatures both with and without UV.
--
GitHub Notification of comment by emlun
Please view or discuss this issue at https://github.com/w3c/webauthn/issues/629#issuecomment-336588787 using your GitHub account
Received on Friday, 13 October 2017 23:18:02 UTC