[webauthn] Identify which items in creation and assertion options are client UI/UX hints (#1618)

Firstyear has just created a new issue for https://github.com/w3c/webauthn:

== Identify which items in creation and assertion options are client UI/UX hints ==
A large number of items in the creation and assertion options exist to help a client identify and a select an authenticator for usage. However, many of these items are expressed using language that indicates to a user that these are enforced policy or a requirement. This leads to situations where people may rely on these options, and a client may freely alter or tamper with them without the RP knowing.

The options that should be clearly identified as UX hints, and not enforced policies are:

-- Creation

* PublicKeyCredentialParameters (verified in level 2)
* excludeCredentials (intended for the client to allow filtering of available credentials, reads like it is a "deny list")
* AuthenticatorSelectionCriteria (criteria implies a strict requirement of what authenticators can be selected by the client, even though it's a hint for what authenticators could be used)
* All members of AuthenticatorSelectionCriteria 

-- Assertion

* userVerification (this is a client UX hint, and may not correlate to the authenticators uv state) 

Relates #1615

Please view or discuss this issue at https://github.com/w3c/webauthn/issues/1618 using your GitHub account


-- 
Sent via github-notify-ml as configured in https://github.com/w3c/github-notify-ml-config

Received on Monday, 31 May 2021 04:25:59 UTC