[webauthn] new commits pushed by agl from Adam Langley via GitHub on 2023-03-22 (public-webauthn@w3.org from March 2023)

From: Adam Langley via GitHub <sysbot+gh@w3.org>
Date: Wed, 22 Mar 2023 19:37:01 +0000
To: public-webauthn@w3.org
Message-ID: <push-54e0962aef5fa353570700fe2dc8bac9c34db686-1679513817-sysbot+gh@w3.org>

The following commits were just pushed by agl to https://github.com/w3c/webauthn:

* Don't be so strict about uv with the PRF extension.

Authenticators may have different PRFs for the UV and non-UV case. Thus
setting uv=preferred during an assertion is fraught: it doesn't fully
specify which PRF to use.

However, while implementing this, I ended up feeling that the
prohibition on using uv=preferred was too strong. Sites may reasonably
want to use uv=preferred and to take advantage of available PRF results.
If the evaluation points are global then this isn't so silly as to
justify a prohibition, I suspect.
  by Adam Langley
https://github.com/w3c/webauthn/commit/24359a14f2098d260f7b8529d38fe6346fed2326

* Update wording to reflect discussions.
  by Adam Langley
https://github.com/w3c/webauthn/commit/cac92424af0313f36b591089b331300850854e1d

* Apply suggestion from emlun

Co-authored-by: Emil Lundberg <emil@yubico.com>
  by Adam Langley
https://github.com/w3c/webauthn/commit/8680f5861f410f9ba015cd8b4ba4b778071469a6

* Switch to SyntaxError
  by Adam Langley
https://github.com/w3c/webauthn/commit/414de68c8d3f3d458c1c600dab4f450615c2dad4

* Specify that there's only one PRF, and it's the UV one.

Fixes #1851
  by Adam Langley
https://github.com/w3c/webauthn/commit/5ebc25721158cc45a985e171121911da87d64994

* Require that evalByCredential keys match a credential from the allowList, if any.

They are superfluous if they don't.
  by Adam Langley
https://github.com/w3c/webauthn/commit/3b83189b8f30f6fff36d0bd4b1ef2bcf53e148c6

* Apply emlun's suggestions from code review

Co-authored-by: Emil Lundberg <emil@yubico.com>
  by Adam Langley
https://github.com/w3c/webauthn/commit/6478874bf740d1daf4f5fba5ddfab602ca5a8c2b

* Merge pull request #1836 from w3c/prf2

Only expose the UV PRF
  by Adam Langley
https://github.com/w3c/webauthn/commit/54e0962aef5fa353570700fe2dc8bac9c34db686



-- 
Sent via github-notify-ml as configured in https://github.com/w3c/github-notify-ml-config

Received on Wednesday, 22 March 2023 19:37:03 UTC