[w3c/webauthn] 5b026a: Fix #848: Weirdness in RP UP verification

  Branch: refs/heads/master
  Home:   https://github.com/w3c/webauthn
  Commit: 5b026ad5fcab52b853995a8ca8f4959bd9f9c0b7
      https://github.com/w3c/webauthn/commit/5b026ad5fcab52b853995a8ca8f4959bd9f9c0b7
  Author: Emil Lundberg <emil@yubico.com>
  Date:   2018-03-21 (Wed, 21 Mar 2018)

  Changed paths:
    M index.bs

  Log Message:
  -----------
  Fix #848: Weirdness in RP UP verification

§7.1. Registering a new credential currently reads (and §7.2. Verifying
an authentication assertion is analogous):

>10. If user verification is required for this registration, verify that
the User Verified bit of the `flags` in _authData_ is set.
>11. If user verification is not required for this registration, verify
that the User Present bit of the `flags` in _authData_ is set.

This results in the following truth table:

    UV req.     | UP req? | UV res. | UP res. | Accept?
    ------------+---------+---------+---------+--------
    discouraged | Yes     | 0       | 0       | No
    discouraged | Yes     | 0       | 1       | Yes
    discouraged | Yes     | 1       | 0       | No
    discouraged | Yes     | 1       | 1       | Yes
    preferred   | Yes     | 0       | 0       | No
    preferred   | Yes     | 0       | 1       | Yes
    preferred   | Yes     | 1       | 0       | No
    preferred   | Yes     | 1       | 1       | Yes
    required    | No      | 0       | 0       | No
    required    | No      | 0       | 1       | No
    required    | No      | 1       | 0       | Yes
    required    | No      | 1       | 1       | Yes

Note, for example, how UV `preferred` means that a response with `(UV=1,
UP=0)` should be rejected.

It makes more sense to let the UP requirement be defined by the UV
_response_ instead of the UV _requirement_:

    UV req.     | UV res. | UP req? | UP res. | Accept?
    ------------+---------+---------+---------+--------
    discouraged | 0       | Yes     | 0       | No
    discouraged | 0       | Yes     | 1       | Yes
    discouraged | 1       | No      | 0       | Yes
    discouraged | 1       | No      | 1       | Yes
    preferred   | 0       | Yes     | 0       | No
    preferred   | 0       | Yes     | 1       | Yes
    preferred   | 1       | No      | 0       | Yes
    preferred   | 1       | No      | 1       | Yes
    required    | 0       | Yes     | 0       | No
    required    | 0       | Yes     | 1       | No
    required    | 1       | No      | 0       | Yes
    required    | 1       | No      | 1       | Yes


  Commit: a46247182ccbda508a619f27d4437649a30004a3
      https://github.com/w3c/webauthn/commit/a46247182ccbda508a619f27d4437649a30004a3
  Author: Emil Lundberg <emil@yubico.com>
  Date:   2018-04-04 (Wed, 04 Apr 2018)

  Changed paths:
    M index.bs

  Log Message:
  -----------
  Always verify UP bit in RP ops

As pointed out by @akshayku, recent drafts of CTAP now support this.


  Commit: 2ae16c671edfbce5dc6ec020deae706a13d751c9
      https://github.com/w3c/webauthn/commit/2ae16c671edfbce5dc6ec020deae706a13d751c9
  Author: JeffH <Jeff.Hodges@PayPal.com>
  Date:   2018-04-13 (Fri, 13 Apr 2018)

  Changed paths:
    M PubStatus.md
    A draft-jones-webauthn-cose-algorithms.html
    A draft-jones-webauthn-cose-algorithms.txt
    A draft-jones-webauthn-cose-algorithms.xml
    M index.bs

  Log Message:
  -----------
  Merge branch 'master' into issue-848-rp-up-verification


  Commit: 2dabcf8ac7a5734504443148697c69c86697a799
      https://github.com/w3c/webauthn/commit/2dabcf8ac7a5734504443148697c69c86697a799
  Author: Emil Lundberg <emil@yubico.com>
  Date:   2018-04-23 (Mon, 23 Apr 2018)

  Changed paths:
    M index.bs

  Log Message:
  -----------
  Fix |authData| -> |aData|


  Commit: c22b1ac49d3cbb4ba1902272ae5470bc2292ea55
      https://github.com/w3c/webauthn/commit/c22b1ac49d3cbb4ba1902272ae5470bc2292ea55
  Author: Emil Lundberg <emil@emlun.se>
  Date:   2018-05-02 (Wed, 02 May 2018)

  Changed paths:
    M index.bs

  Log Message:
  -----------
  Merge pull request #849 from w3c/issue-848-rp-up-verification

Fix #848: Weirdness in RP UP verification


Compare: https://github.com/w3c/webauthn/compare/da1d21d5da19...c22b1ac49d3c
      **NOTE:** This service been marked for deprecation: https://developer.github.com/changes/2018-04-25-github-services-deprecation/

      Functionality will be removed from GitHub.com on January 31st, 2019.

Received on Wednesday, 2 May 2018 11:18:50 UTC