[webauthn] Pull Request: clarification of UP/UV flags in authenticator data structure from Jeremy Erickson via GitHub on 2018-10-31 (public-webauthn@w3.org from October 2018)

From: Jeremy Erickson via GitHub <sysbot+gh@w3.org>
Date: Wed, 31 Oct 2018 22:02:36 +0000
To: public-webauthn@w3.org
Message-ID: <pull_request.opened-227455911-1541023355-sysbot+gh@w3.org>

jericks-duo has just submitted a new pull request for https://github.com/w3c/webauthn:

== clarification of UP/UV flags in authenticator data structure ==
The User Presence (UP) and User Verification (UV) flags in the authenticator data structure (https://www.w3.org/TR/webauthn/#sec-authenticator-data) appear to have a similar purpose to the requireUserPresence and requireUserVerification input parameter booleans in the authenticatorMakeCredential operation. The requireUserPresence and requireUserVerification booleans are explicitly mutually exclusive -- if one is set the other must be unset. My understanding, after discussing the use case for the UP/UV flags, is that both MAY be set (i.e. not mutually exclusive). 

Example: The relying party may specify that user presence is required, but the authenticator may physically perform a user verification operation. In this case, the relying party may end up checking the UP flag and not the UV flag, so it seems like the authenticator should set both flags, not just the UV flag.

Just wanted to clarify this in the doc as there may be the potential for confusion during implementation. Or alternately, if there is a reason they should be mutually exclusive, the spec should probably specify that.

See https://github.com/w3c/webauthn/pull/1108

Received on Wednesday, 31 October 2018 22:02:44 UTC