- From: philomathic_life via GitHub <noreply@w3.org>
- Date: Wed, 09 Jul 2025 22:52:12 +0000
- To: public-webauthn@w3.org
This is tangentially related, but what is the required behavior from clients if `mediation` is `"conditional"`, but `userVerification` is `"required"`? Does one override the other? The quoted section states: > The client MUST set BOTH _requireUserPresence_ and _requireUserVerification_ to _FALSE_ when _`options.`_[`mediation`](https://w3c.github.io/webappsec-credential-management/#dom-credentialcreationoptions-mediation) is set to [`conditional`](https://w3c.github.io/webappsec-credential-management/#dom-credentialmediationrequirement-conditional) unless they may explicitly performed during the ceremony. One interpretation of that section suggests that `userVerification` is overridden since clients "MUST" set _requireUserVerification_ to false. Another interpretation is that `userVerification` of `"required"` is retained since the section provides an out with "unless they may explicitly [be] performed during the ceremony". The ceremony validation criteria only states that user presence is allowed to be false when `mediation` is `"conditional"`, but it doesn't state that user verification is allowed to be false when `"required"` was requested which further suggests that `userVerifcation` "wins" since the ceremony is almost guaranteed to fail. -- GitHub Notification of comment by zacknewman Please view or discuss this issue at https://github.com/w3c/webauthn/issues/2295#issuecomment-3054350895 using your GitHub account -- Sent via github-notify-ml as configured in https://github.com/w3c/github-notify-ml-config
Received on Wednesday, 9 July 2025 22:52:13 UTC