Re: [webauthn] User verification policy leads to ambiguous usage situations. (#1510)

> Because the webauthn spec does _NOT_ direct RP's to store the UV bit from the registration ceremony in the credential because it is _per ceremony_ instead.

I don't think this is a normative spec issue at all. Whilst it may useful for RP implementations to store information from the registration ceremony *with* (not in) the credential such that the RP can understand whether or not uv was performed for that registration ceremony, it is even more useful for the registration ceremony to also check the uv bit, rejecting the registration ceremony if uv is required *for that type of registration*. That is also a required validation documented in the registration ceremony - specifically step 15 of

I truly believe the fundamental issue here is not with the specification's semantics, but with false assumptions. 

GitHub Notification of comment by sbweeden
Please view or discuss this issue at using your GitHub account

Sent via github-notify-ml as configured in

Received on Thursday, 21 January 2021 05:01:59 UTC