- From: Silvan Mosberger via GitHub <sysbot+gh@w3.org>
- Date: Thu, 24 Feb 2022 16:38:29 +0000
- To: public-webauthn@w3.org
I'm still not sure what difference there is between "the RP requires user verification" and `userVerification` being set to "required". As a Relying Party implementor I'd still interpret the former as the latter. In which scenario is it possible that these two are different? - The RP requires user verification but doesn't set `userVerification` to "required": That seems unreasonable, the RP shouldn't reject a response without user verification if it didn't ask for it - The RP doesn't require user verification but sets `userVerification` to "required": This sounds like the RP really should've set `userVerification` to "preferred" and not "required" then. Is there a use case that I'm not seeing? If there really is a reasonable one then I think it makes sense to point that out in the spec somewhere, so that library implementors don't equate these things. -- GitHub Notification of comment by Infinisil Please view or discuss this issue at https://github.com/w3c/webauthn/pull/1704#issuecomment-1050043574 using your GitHub account -- Sent via github-notify-ml as configured in https://github.com/w3c/github-notify-ml-config
Received on Thursday, 24 February 2022 16:38:31 UTC