- From: Arian van Putten via GitHub <sysbot+gh@w3.org>
- Date: Wed, 14 May 2025 17:53:41 +0000
- To: public-webauthn@w3.org
arianvp has just created a new issue for https://github.com/w3c/webauthn: == Conditional creation incompatible with `uvInitialized` semantics in Chapter 7? == https://w3c.github.io/webauthn/#sctn-createCredential says > The client MUST set BOTH requireUserPresence and requireUserVerification to FALSE when options.[mediation](https://w3c.github.io/webappsec-credential-management/#dom-credentialcreationoptions-mediation) is set to [conditional](https://w3c.github.io/webappsec-credential-management/#dom-credentialmediationrequirement-conditional) unless they may explicitly performed during the ceremony. However then that means that `uvInitialized` is set to `FALSE` in the credential record according to https://w3c.github.io/webauthn/#reg-ceremony-create-credential-record However this means that the credential created may not be used for authentication > When this is false, including an [authentication ceremony](https://w3c.github.io/webauthn/#authentication-ceremony) where it would be updated to true, the [UV](https://w3c.github.io/webauthn/#authdata-flags-uv) [flag](https://w3c.github.io/webauthn/#authdata-flags) MUST NOT be relied upon as an [authentication factor](https://pages.nist.gov/800-63-3/sp800-63-3.html#af). https://w3c.github.io/webauthn/#abstract-opdef-credential-record-uvinitialized This is in contradiction with each-other. The whole idea of conditional creation is that we automatically create a passkey for subsequent log ins. However this is incompatible with the `uvInitialized` semantics from my reading? Please view or discuss this issue at https://github.com/w3c/webauthn/issues/2295 using your GitHub account -- Sent via github-notify-ml as configured in https://github.com/w3c/github-notify-ml-config
Received on Wednesday, 14 May 2025 17:53:42 UTC