Re: [webauthn] clarification of UP/UV flags in authenticator data structure from Emil Lundberg via GitHub on 2018-11-12 (public-webauthn@w3.org from November 2018)

From: Emil Lundberg via GitHub <sysbot+gh@w3.org>
Date: Mon, 12 Nov 2018 12:03:41 +0000
To: public-webauthn@w3.org
Message-ID: <issue_comment.created-437855206-1542024220-sysbot+gh@w3.org>

Thanks for your proposal! I agree this is worthwhile clarifying, but I think it needs to be formulated differently to not open more opportunities for misunderstandings. With your proposal, the paragraph reads:

>The `UP` flag SHALL be set if and only if the authenticator detected a user through an authenticator specific gesture. The `RFU` bits SHALL be set to zero. The `UV` and `UP` flags MAY both be set if the authenticator verified a user.

This could be interpreted to mean that if the authenticator performed user verification, then it MAY set the `UV` flag. This should be that the `UV` flag MUST be set in that case, but that `UP` and `UV` MAY both be set at the same time. I'll draft an alternative proposal with reformulations to that effect.

-- 
GitHub Notification of comment by emlun
Please view or discuss this issue at https://github.com/w3c/webauthn/pull/1108#issuecomment-437855206 using your GitHub account

Received on Monday, 12 November 2018 12:03:42 UTC