Merge pull request #1238 from w3c/issue-1162-clarify-individual-users

Clarify that a single user might be several persons
w3c · Jun 26, 2019 · d064d92 · d064d92
2 parents 9fd1f03 + a30bdf7
commit d064d92
Showing 1 changed file with 17 additions and 4 deletions.
diff --git a/index.bs b/index.bs
@@ -806,10 +806,23 @@ The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "S
 :: The technical process by which an [=authenticator=] <em>locally authorizes</em> the invocation of the
     [=authenticatorMakeCredential=] and [=authenticatorGetAssertion=] operations. [=User verification=] MAY be instigated
     through various [=authorization gesture=] modalities; for example, through a touch plus pin code, password entry, or
-    [=biometric recognition=] (e.g., presenting a fingerprint) [[ISOBiometricVocabulary]]. The intent is to be able to
-    distinguish individual users. Note that invocation of the [=authenticatorMakeCredential=] and [=authenticatorGetAssertion=]
-    operations implies use of key material managed by the authenticator. Note that for security, [=user verification=] and use
-    of [=credential private keys=] must occur within a single logical security boundary defining the [=authenticator=].
+    [=biometric recognition=] (e.g., presenting a fingerprint) [[ISOBiometricVocabulary]]. The intent is to
+    distinguish individual users.
+
+    Note: Distinguishing natural persons depends in significant part upon the [=client platform=]'s
+    and [=authenticator=]'s capabilities.
+    For example, some devices are intended to be used by a single individual,
+    yet they may allow multiple natural persons to enroll fingerprints
+    and thus access the same [=[RP]=] account(s) using that device.
+    See also [[#sctn-uvi-extension]].
+
+    <div class="note">
+        Note: Invocation of the [=authenticatorMakeCredential=] and [=authenticatorGetAssertion=] operations
+        implies use of key material managed by the authenticator.
+
+        Also, for security, [=user verification=] and use of [=credential private keys=]
+        must all occur within the logical security boundary defining the [=authenticator=].
+    </div>
 
     [=User verification=] procedures MAY implement [=rate limiting=] as a protection against brute force attacks.