- From: Emil Lundberg via GitHub <sysbot+gh@w3.org>
- Date: Wed, 21 Mar 2018 19:50:51 +0000
- To: public-webauthn@w3.org
The following commits were just pushed by emlun to https://github.com/w3c/webauthn:
* Fix #848: Weirdness in RP UP verification
§7.1. Registering a new credential currently reads (and §7.2. Verifying
an authentication assertion is analogous):
>10. If user verification is required for this registration, verify that
the User Verified bit of the `flags` in _authData_ is set.
>11. If user verification is not required for this registration, verify
that the User Present bit of the `flags` in _authData_ is set.
This results in the following truth table:
UV req. | UP req? | UV res. | UP res. | Accept?
------------+---------+---------+---------+--------
discouraged | Yes | 0 | 0 | No
discouraged | Yes | 0 | 1 | Yes
discouraged | Yes | 1 | 0 | No
discouraged | Yes | 1 | 1 | Yes
preferred | Yes | 0 | 0 | No
preferred | Yes | 0 | 1 | Yes
preferred | Yes | 1 | 0 | No
preferred | Yes | 1 | 1 | Yes
required | No | 0 | 0 | No
required | No | 0 | 1 | No
required | No | 1 | 0 | Yes
required | No | 1 | 1 | Yes
Note, for example, how UV `preferred` means that a response with `(UV=1,
UP=0)` should be rejected.
It makes more sense to let the UP requirement be defined by the UV
_response_ instead of the UV _requirement_:
UV req. | UV res. | UP req? | UP res. | Accept?
------------+---------+---------+---------+--------
discouraged | 0 | Yes | 0 | No
discouraged | 0 | Yes | 1 | Yes
discouraged | 1 | No | 0 | Yes
discouraged | 1 | No | 1 | Yes
preferred | 0 | Yes | 0 | No
preferred | 0 | Yes | 1 | Yes
preferred | 1 | No | 0 | Yes
preferred | 1 | No | 1 | Yes
required | 0 | Yes | 0 | No
required | 0 | Yes | 1 | No
required | 1 | No | 0 | Yes
required | 1 | No | 1 | Yes
by Emil Lundberg
https://github.com/w3c/webauthn/commit/5b026ad5fcab52b853995a8ca8f4959bd9f9c0b7
Received on Wednesday, 21 March 2018 19:50:53 UTC