Merge pull request #1855 from w3c/issue-1848-challenge-timeout

Recommend duration of challenge validity

index.bs

@@ -1794,9 +1794,8 @@ When this method is invoked, the user agent MUST execute the following algorithm
     |lifetimeTimer| to this adjusted value. If <code>|pkOptions|.{{PublicKeyCredentialCreationOptions/timeout}}</code> is not
     present, then set |lifetimeTimer| to a [=client=]-specific default.
 
-        Recommended ranges and defaults for <code>|pkOptions|.{{PublicKeyCredentialCreationOptions/timeout}}</code> are as follows.
-          * Recommended range: 300000 milliseconds to 600000 milliseconds.
-          * Recommended default value: 300000 milliseconds (5 minutes).
+        See the [=recommended range and default for a WebAuthn ceremony timeout=]
+        for guidance on deciding a reasonable range and default for <code>|pkOptions|.{{PublicKeyCredentialCreationOptions/timeout}}</code>.
 
         Note: The user agent should take cognitive guidelines into considerations regarding timeout for users with special needs.
 
@@ -2296,9 +2295,8 @@ When this method is invoked, the user agent MUST execute the following algorithm
         Set a timer |lifetimeTimer| to this adjusted value. If <code>|pkOptions|.{{PublicKeyCredentialRequestOptions/timeout}}</code>
         is not present, then set |lifetimeTimer| to a [=client=]-specific default.
 
-            Recommended ranges and defaults for <code>|pkOptions|.{{PublicKeyCredentialRequestOptions/timeout}}</code> are as follows.
-              * Recommended range: 300000 milliseconds to 600000 milliseconds.
-              * Recommended default value: 300000 milliseconds (5 minutes).
+            See the [=recommended range and default for a WebAuthn ceremony timeout=]
+            for guidance on deciding a reasonable range and default for <code>|pkOptions|.{{PublicKeyCredentialRequestOptions/timeout}}</code>.
 
             Note: The user agent should take cognitive guidelines into considerations regarding timeout for users with special needs.
 
@@ -8354,6 +8352,9 @@ upon a client's behavior, e.g., the [=[RP]=] SHOULD store the challenge temporar
 until the operation is complete. Tolerating a mismatch will compromise the security
 of the protocol.
 
+Challenges SHOULD be valid for a duration similar to the
+upper limit of the [=recommended range and default for a WebAuthn ceremony timeout=].
+
 In order to prevent replay attacks, the challenges MUST contain enough entropy to make guessing them infeasible. Challenges SHOULD
 therefore be at least 16 bytes long.
 
@@ -8844,8 +8845,16 @@ as discussed in [[#sctn-username-enumeration]].
 
 [=[RPS]=], at [=registration=] time, SHOULD provide affordances for users to complete future [=authorization gestures=] correctly. This could involve naming the authenticator, choosing a picture to associate with the device, or entering freeform text instructions (e.g., as a reminder-to-self).
 
+
+## Recommended Range for Ceremony Timeouts ## {#sctn-timeout-recommended-range}
+
 [=Ceremonies=] relying on timing, e.g., a [=registration ceremony=] (see {{PublicKeyCredentialCreationOptions/timeout}}) or an [=authentication ceremony=] (see {{PublicKeyCredentialRequestOptions/timeout}}), ought to follow [[!WCAG21]]'s [Guideline 2.2 Enough Time](https://www.w3.org/TR/WCAG21/#enough-time). If a [=client platform=] determines that a [=[RP]=]-supplied timeout does not appropriately adhere to the latter [[!WCAG21]] guidelines, then the [=client platform=] MAY adjust the timeout accordingly.
 
+The <dfn>recommended range and default for a WebAuthn ceremony timeout</dfn> is as follows:
+
+* Recommended range: 300000 milliseconds to 600000 milliseconds.
+* Recommended default value: 300000 milliseconds (5 minutes).
+
 
 # Acknowledgements # {#sctn-acknowledgements}
 We thank the following people for their reviews of, and contributions to, this specification: