W3C home > Mailing lists > Public > public-webauthn@w3.org > January 2021

Re: [webauthn] User verification policy leads to ambiguous usage situations. (#1510)

From: Shane Weeden via GitHub <sysbot+gh@w3.org>
Date: Thu, 21 Jan 2021 04:28:41 +0000
To: public-webauthn@w3.org
Message-ID: <issue_comment.created-764269709-1611203320-sysbot+gh@w3.org>
> Because the webauthn spec does _NOT_ direct RP's to store the UV bit from the registration ceremony in the credential because it is _per ceremony_ instead.

I don't think this is a normative spec issue at all. Whilst it may useful for RP implementations to store information from the registration ceremony *with* (not in) the credential such that the RP can understand whether or not uv was performed for that registration ceremony, it is even more useful for the registration ceremony to also check the uv bit, rejecting the registration ceremony if uv is required *for that type of registration*. That is also a required validation documented in the registration ceremony - specifically step 15 of https://www.w3.org/TR/webauthn/#sctn-registering-a-new-credential.

I truly believe the fundamental issue here is not with the specification's semantics, but with false assumptions. 

GitHub Notification of comment by sbweeden
Please view or discuss this issue at https://github.com/w3c/webauthn/issues/1510#issuecomment-764269709 using your GitHub account

Sent via github-notify-ml as configured in https://github.com/w3c/github-notify-ml-config
Received on Thursday, 21 January 2021 05:01:59 UTC

This archive was generated by hypermail 2.4.0 : Thursday, 24 March 2022 20:38:40 UTC