Align authenticator operations' UP/UV behaviour with CTAP2

index.bs

@@ -797,6 +797,8 @@ When this method is invoked, the user agent MUST execute the following algorithm
 
             </dl>
 
+    1. Let |userPresence| be a Boolean value set to the inverse of |userVerification|.
+
     1. Let |excludeCredentialDescriptorList| be a new [=list=].
 
     1. [=list/For each=] credential descriptor |C| in <code>|options|.{{MakePublicKeyCredentialOptions/excludeCredentials}}</code>:
@@ -809,6 +811,7 @@ When this method is invoked, the user agent MUST execute the following algorithm
         |clientDataHash|,
         <code>|options|.{{MakePublicKeyCredentialOptions/rp}}</code>, <code>|options|.{{MakePublicKeyCredentialOptions/user}}</code>,
         <code>|options|.{{MakePublicKeyCredentialOptions/authenticatorSelection}}.{{AuthenticatorSelectionCriteria/requireResidentKey}}</code>,
+        |userPresence|,
         |userVerification|,
         |credTypesAndPubKeyAlgs|,
         |excludeCredentialDescriptorList|,
@@ -1064,6 +1067,7 @@ When this method is invoked, the user agent MUST execute the following algorithm
 
             </dl>
 
+    1. Let |userPresence| be a Boolean value set to the inverse of |userVerification|.
 
     1. Let |allowCredentialDescriptorList| be a new [=list=].
 
@@ -1102,20 +1106,20 @@ When this method is invoked, the user agent MUST execute the following algorithm
                             selection.
 
                             Then, using |transport|, invoke the [=authenticatorGetAssertion=] operation on
-                            |authenticator|, with |rpId|, |clientDataHash|, |allowCredentialDescriptorList|, |userVerification|,
-                            and |authenticatorExtensions| as parameters.
+                            |authenticator|, with |rpId|, |clientDataHash|, |allowCredentialDescriptorList|, |userPresence|,
+                            |userVerification|, and |authenticatorExtensions| as parameters.
 
                         :   [=list/is empty=]
                         ::  Using local configuration knowledge of the appropriate transport to use with |authenticator|,
                             invoke the [=authenticatorGetAssertion=] operation on |authenticator| with |rpId|,
-                            |clientDataHash|, |allowCredentialDescriptorList|, |userVerification|, and |clientExtensions| as
-                            parameters.
+                            |clientDataHash|, |allowCredentialDescriptorList|, |userPresence|, |userVerification|, and
+                            |clientExtensions| as parameters.
                     </dl>
 
             :   [=list/is empty=]
             ::  Using local configuration knowledge of the appropriate transport to use with |authenticator|, invoke the
-                [=authenticatorGetAssertion=] operation on |authenticator| with |rpId|, |clientDataHash|, |userVerification| and
-                |clientExtensions| as parameters.
+                [=authenticatorGetAssertion=] operation on |authenticator| with |rpId|, |clientDataHash|, |userPresence|,
+                |userVerification| and |clientExtensions| as parameters.
 
                 Note: In this case, the [=[RP]=] did not supply a list of acceptable credential descriptors. Thus the
                     authenticator is being asked to exercise any credential it may possess that is bound to
@@ -2042,6 +2046,10 @@ input parameters:
 :: The user account's {{PublicKeyCredentialUserEntity}}, containing the [=user handle=] given by the [=[RP]=].
 : |requireResidentKey|
 :: |options|.{{MakePublicKeyCredentialOptions/authenticatorSelection}}.{{requireResidentKey}}.
+: |requireUserPresence|
+:: A Boolean value provided by the client, which in invocations from a [=[WAC]=]'s
+    {{PublicKeyCredential/[[Create]](origin, options)}} method is always set to the inverse of
+    |requireUserVerification|.
 : |requireUserVerification|
 :: The [=effective user verification requirement for credential creation=], a Boolean value provided by the client.
 : |credTypesAndPubKeyAlgs|
@@ -2077,17 +2085,9 @@ When this operation is invoked, the authenticator must perform the following pro
     <code>|userEntity|.{{PublicKeyCredentialEntity/name}}</code> and
     <code>|userEntity|.{{PublicKeyCredentialUserEntity/displayName}}</code>, if possible.
 
-    The method of obtaining [=user consent=] MUST include [=user verification=] or a [=test of user presence=] as follows. If
-    |requireUserVerification|
-
-    <dl class="switch">
-        :   is `true`
-        ::  [=User verification=] MUST be performed.
+    If |requireUserVerification| is `true`, the method of obtaining [=user consent=] MUST include [=user verification=].
 
-        :   is `false`
-        ::  [=User verification=] SHOULD NOT be performed. If [=user verification=] is not performed, a [=test of user presence=]
-            MUST be performed.
-    </dl>
+    If |requireUserPresence| is `true`, the method of obtaining [=user consent=] MUST include a [=test of user presence=].
 
     If the user denies [=user consent|consent=] or if [=user verification=] fails, return an error code equivalent to
     "{{NotAllowedError}}" and terminate the operation.
@@ -2140,6 +2140,10 @@ input parameters:
 : |allowCredentialDescriptorList|
 :: An optional list of {{PublicKeyCredentialDescriptor}}s describing credentials acceptable to the [=[RP]=] (possibly filtered
     by the client), if any.
+: |requireUserPresence|
+:: A Boolean value provided by the client, which in invocations from a [=[WAC]=]'s
+    {{PublicKeyCredential/[[DiscoverFromExternalSource]](origin, options)}} method is always set to the inverse of
+    |requireUserVerification|.
 : |requireUserVerification|
 :: The [=effective user verification requirement for assertion=], a Boolean value provided by the client.
 : |extensions|
@@ -2165,17 +2169,9 @@ When this method is invoked, the [=authenticator=] must perform the following pr
     the [=authenticator=] if it has its own output capability, or by the user agent otherwise. The prompt SHOULD display the
     |rpId| and any additional displayable data associated with |selectedCredential|, if possible.
 
-    The method of obtaining [=user consent=] MUST include [=user verification=] or a [=test of user presence=] as follows. If
-    |requireUserVerification|
+    If |requireUserVerification| is `true`, the method of obtaining [=user consent=] MUST include [=user verification=].
 
-    <dl class="switch">
-        :   is `true`
-        ::  [=User verification=] MUST be performed.
-
-        :   is `false`
-        ::  [=User verification=] SHOULD NOT be performed. If [=user verification=] is not performed, a [=test of user presence=]
-            MUST be performed.
-    </dl>
+    If |requireUserPresence| is `true`, the method of obtaining [=user consent=] MUST include a [=test of user presence=].
 
     If the user denies [=user consent|consent=] or if [=user verification=] fails, return an error code equivalent to
     "{{NotAllowedError}}" and terminate the operation.