New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Add User Verification (UV) bit to authenticator data #409
Changes from 18 commits
6f2f11a
0338bee
ad4ace2
b20d784
8c4d907
8d842cc
186b3d9
1414c2f
d34178d
345b8dc
bb4ad64
485c430
6a6eafe
bc857de
5f41fac
5e860cd
9ba8f8a
f607343
9fca565
File filter
Filter by extension
Conversations
Jump to
Diff view
Diff view
There are no files selected for viewing
Original file line number | Diff line number | Diff line change |
---|---|---|
|
@@ -1263,6 +1263,7 @@ The [=authenticator data=] structure is a byte array of 37 bytes or more, as fol | |
<td> | ||
Flags (bit 0 is the least significant bit): | ||
- Bit 0: [=Test of User Presence=] (`TUP`) result. | ||
- Bit 1: [=User Verification=] (`UV`) result. | ||
- Bits 1-5: Reserved for future use (`RFU`). | ||
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. s/1-5/2-5/ There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. Note: this needs to be updated [per @jyasskin's earlier comment] to be "Bits 2-5" ! |
||
- Bit 6: [=Attestation data=] included (`AT`). Indicates whether the authenticator added [=attestation data=]. | ||
- Bit 7: Extension data included (`ED`). Indicates if the [=authenticator data=] has extensions. | ||
|
@@ -1294,7 +1295,8 @@ does not change between operations but instead remains the same for the lifetime | |
by the authenticator during the [=authenticatorGetAssertion=] operation, by verifying that the RP ID associated with the | ||
requested credential exactly matches the RP ID supplied by the client. | ||
|
||
The `TUP` flag SHALL be set if and only if the authenticator detected a user through an authenticator specific gesture. The | ||
The `TUP` flag SHALL be set if and only if the authenticator detected a user through an authenticator specific gesture. The | ||
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. s/TUP/UP/ ? (ie, "User Present") Also, given the language here, we seem to be saying that if UV has been accomplished, BOTH the UP (nee 'TUP') and UV flags would be set, yes? I.e., UP is set if the authenticator is able to confirm user presence in any fashion, and UV is also set if that fashion is one able to verify that it is the "same user" as in prior interactions (e.g., credential creation). Yes? If so, this language ought to be polished appropriately (in both the above and below lines). BTW, this is the way the FIDO User Verification Methods flags work -- USER_VERIFY_PRESENCE is always set, and then other flags MAY be set in order to signal finer-grained attributes of the interaction, see: https://fidoalliance.org/specs/fido-uaf-v1.1-id-20170202/fido-registry-v1.1-id-20170202.html#user-verification-methods |
||
`UV` flag SHALL be set if and only if the [=user verification=] process has been performed by the authenticator. The | ||
`RFU` bits in the flags byte SHALL be set to zero. | ||
|
||
For attestation signatures, the authenticator MUST set the AT flag and include the [=attestation data=]. For authentication | ||
|
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
thanks @AngeloKai considering feedback and migrating this to the "user verification" terminology.
Tho, actually, in thinking about the naming of both TUP and UV bits, I would use a present or past simple statement to name the above bits 0 and 1: