W3C home > Mailing lists > Public > public-webauthn@w3.org > March 2018

[webauthn] RP UP verification instruction is weird

From: Emil Lundberg via GitHub <sysbot+gh@w3.org>
Date: Wed, 21 Mar 2018 19:46:50 +0000
To: public-webauthn@w3.org
Message-ID: <issues.opened-307392895-1521661609-sysbot+gh@w3.org>
emlun has just created a new issue for https://github.com/w3c/webauthn:

== RP UP verification instruction is weird ==
[§7.1. Registering a new credential][reg] currently reads (and §7.2. Verifying an authentication assertion is analogous):

>10. If user verification is required for this registration, verify that the User Verified bit of the `flags` in _authData_ is set.
>11. If user verification is not required for this registration, verify that the User Present bit of the `flags` in _authData_ is set.

This results in the following truth table:
```
UV req.     | UP req? | UV res. | UP res. | Accept?
------------+---------+---------+---------+--------
discouraged | Yes     | 0       | 0       | No
discouraged | Yes     | 0       | 1       | Yes
discouraged | Yes     | 1       | 0       | No
discouraged | Yes     | 1       | 1       | Yes
preferred   | Yes     | 0       | 0       | No
preferred   | Yes     | 0       | 1       | Yes
preferred   | Yes     | 1       | 0       | No
preferred   | Yes     | 1       | 1       | Yes
required    | No      | 0       | 0       | No
required    | No      | 0       | 1       | No
required    | No      | 1       | 0       | Yes
required    | No      | 1       | 1       | Yes
```

Note, for example, how UV `preferred` means that a response with `(UV=1, UP=0)` should be rejected.

It would make more sense to let the UP requirement be defined by the UV _response_ instead of the UV _requirement_:

```
UV req.     | UV res. | UP req? | UP res. | Accept?
------------+---------+---------+---------+--------
discouraged | 0       | Yes     | 0       | No
discouraged | 0       | Yes     | 1       | Yes
discouraged | 1       | No      | 0       | Yes
discouraged | 1       | No      | 1       | Yes
preferred   | 0       | Yes     | 0       | No
preferred   | 0       | Yes     | 1       | Yes
preferred   | 1       | No      | 0       | Yes
preferred   | 1       | No      | 1       | Yes
required    | 0       | Yes     | 0       | No
required    | 0       | Yes     | 1       | No
required    | 1       | No      | 0       | Yes
required    | 1       | No      | 1       | Yes
```

[reg]: https://www.w3.org/TR/2018/CR-webauthn-20180320/#registering-a-new-credential

Please view or discuss this issue at https://github.com/w3c/webauthn/issues/848 using your GitHub account
Received on Wednesday, 21 March 2018 19:46:58 UTC

This archive was generated by hypermail 2.4.0 : Friday, 17 January 2020 18:58:48 UTC