Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

be explict about "same user" is verified at get() time as was verified at create() time #493

Closed
equalsJeffH opened this issue Jun 7, 2017 · 2 comments · Fixed by #976
Closed

be explict about "same user" is verified at get() time as was verified at create() time #493

equalsJeffH opened this issue Jun 7, 2017 · 2 comments · Fixed by #976
Assignees
@equalsJeffH
Labels
stat:pr-open type:editorial
Milestone
PropRec

Comments

@equalsJeffH
Copy link
Contributor

this may involve some changes to the two main algorithms, and definitely should be mentioned in the user verification definition. as @jyasskin notes in PR #460:

Even if the authenticator can "distinguish individual users", it needs to record which user authorized create() and only sign credentials when the same user authorizes a get() call.
@equalsJeffH equalsJeffH added this to the CR milestone Jun 7, 2017
@equalsJeffH equalsJeffH self-assigned this Jun 7, 2017
@equalsJeffH equalsJeffH mentioned this issue Jun 7, 2017
Merged
@AngeloKai
Copy link
Contributor

+1 on clearer step, though I am not sure how to do that. Obviously all platforms use some sort of storage structure to memorize each user and associate the gestures. However, beyond that, I have very limited knowledge of how it is done. I am also not sure about the IP aspect because different device manufacturers use different ways to identify users.

@equalsJeffH
Copy link
Contributor Author

+1 on clearer step, though I am not sure how to do that. Obviously all platforms use some sort of storage structure to memorize each user and associate the gestures. However, beyond that, I have very limited knowledge of how it is done. I am also not sure about the IP aspect because different device manufacturers use different ways to identify users.

We do not have to get into details. I am thinking we can have a generic high-level fairly abstract statement to the effect that: user verification at {#getAssertion} time must identify the same user as was verified at {#createCredential} time. or something to that effect that we can agree on.

@nadalin nadalin modified the milestones: PR, CR Sep 11, 2017
@equalsJeffH equalsJeffH mentioned this issue Jun 28, 2018
Merged
equalsJeffH added a commit that referenced this issue Jul 11, 2018
@equalsJeffH
fix #493: be explicit about "same user" is verified at get() time as …
fe09a70 
…was verified at create() time (#976)

* add anchor to authnrMakeCred user consent step

* add user-must-be-same adminition to authnrGetAssn

* update comment wrt tagged step

* make it a Note

* spelling
WebAuthnBot pushed a commit that referenced this issue Jul 11, 2018
Built by Travis-CI: fe09a70 fix #493: be explicit about "same user" i…
91d059c 
…s verified at get() time as was verified at create() time (#976)
WebAuthnBot pushed a commit that referenced this issue Jul 11, 2018
Built by Travis-CI: fe09a70 fix #493: be explicit about "same user" i…
7958a9e 
…s verified at get() time as was verified at create() time (#976)
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@equalsJeffH equalsJeffH

Labels
stat:pr-open type:editorial
Projects
None yet
Milestone
PropRec
3 participants
@equalsJeffH @AngeloKai @nadalin