Re: [webauthn] #getAssertion alg needs to pass authenticator selection requirements to authenticatorGetAssertion operation

Ah. I realized the typo in the initial proposal. Apologies.

I meant to say "Platform MUST not ask for user verification" instead of "Authenticator MUST not ask for". I edited the comment. 

For example, some vendor builds a finger print authenticator whose semantics are that it always do user verification before releasing any signature. It may be their differentiation from other authenticators and it is their business decision. Same thing with face authenticators or some other kind. Whatever, it's their business decision. 

What we are saying is, RP may say that it does not need it ( may be UV/Client PIN semantics brings more user friction for majority of its customers) and platform must not ask for it. It does not mean that RP is going to reject it when authenticators give UV bit anyway because its their only way to release the signature. It is an additional security that RP does not need but can ignore it if that comes and does not harm them. 

If authenticator supports both type of signatures, (with UV/ClientPin semantics and with only touch), in that case, Platform will not ask for UV/ClientPin semantics and authenticator is free to give with signature without UV bit.



-- 
GitHub Notification of comment by akshayku
Please view or discuss this issue at https://github.com/w3c/webauthn/issues/644#issuecomment-339816682 using your GitHub account

Received on Thursday, 26 October 2017 22:15:02 UTC