W3C home > Mailing lists > Public > public-webauthn@w3.org > November 2018

[webauthn] Closed Pull Request: clarification of UP/UV flags in authenticator data structure

From: Emil Lundberg via GitHub <sysbot+gh@w3.org>
Date: Wed, 28 Nov 2018 18:28:59 +0000
To: public-webauthn@w3.org
Message-ID: <pull_request.closed-227455911-1543429738-sysbot+gh@w3.org>
emlun has just closed jericks-duo's pull request 1108 for https://github.com/w3c/webauthn:

== clarification of UP/UV flags in authenticator data structure ==
The User Presence (UP) and User Verification (UV) flags in the authenticator data structure (https://www.w3.org/TR/webauthn/#sec-authenticator-data) appear to have a similar purpose to the requireUserPresence and requireUserVerification input parameter booleans in the authenticatorMakeCredential operation. The requireUserPresence and requireUserVerification booleans are explicitly mutually exclusive -- if one is set the other must be unset. My understanding, after discussing the use case for the UP/UV flags, is that both MAY be set (i.e. not mutually exclusive). 

Example: The relying party may specify that user presence is required, but the authenticator may physically perform a user verification operation. In this case, the relying party may end up checking the UP flag and not the UV flag, so it seems like the authenticator should set both flags, not just the UV flag.

Just wanted to clarify this in the doc as there may be the potential for confusion during implementation. Or alternately, if there is a reason they should be mutually exclusive, the spec should probably specify that.

See https://github.com/w3c/webauthn/pull/1108
Received on Wednesday, 28 November 2018 18:29:01 UTC

This archive was generated by hypermail 2.4.0 : Tuesday, 5 July 2022 07:26:35 UTC