[w3c/webauthn] 24359a: Don't be so strict about uv with the PRF extension. from Adam Langley on 2023-01-04 (public-webauthn@w3.org from January 2023)

From: Adam Langley <noreply@github.com>
Date: Wed, 04 Jan 2023 14:14:10 -0800
To: public-webauthn@w3.org
Message-ID: <w3c/webauthn/push/refs/heads/prf2/000000-24359a@github.com>

  Branch: refs/heads/prf2
  Home:   https://github.com/w3c/webauthn
  Commit: 24359a14f2098d260f7b8529d38fe6346fed2326
      https://github.com/w3c/webauthn/commit/24359a14f2098d260f7b8529d38fe6346fed2326
  Author: Adam Langley <agl@imperialviolet.org>
  Date:   2023-01-04 (Wed, 04 Jan 2023)

  Changed paths:
    M index.bs

  Log Message:
  -----------
  Don't be so strict about uv with the PRF extension.

Authenticators may have different PRFs for the UV and non-UV case. Thus
setting uv=preferred during an assertion is fraught: it doesn't fully
specify which PRF to use.

However, while implementing this, I ended up feeling that the
prohibition on using uv=preferred was too strong. Sites may reasonably
want to use uv=preferred and to take advantage of available PRF results.
If the evaluation points are global then this isn't so silly as to
justify a prohibition, I suspect.

Received on Wednesday, 4 January 2023 22:14:23 UTC