authenticatorGetAssertion has no ConstraintError step for requireUserVerification

[emlun]

authenticatorMakeCredential has the step

5. If requireUserVerification is true and the authenticator cannot perform user verification, return an error code equivalent to "ConstraintError" and terminate the operation.

authenticatorGetAssertion also has a requireUserVerification parameter, but no equivalent step returning a "ConstraintError" if it is not supported. Step 7 reads

7. [...]

If requireUserVerification is true, the method of obtaining user consent MUST include user verification.

[...]

but leaves unspecified what should happen if this MUST cannot be satisfied.

CTAP does return identical error codes from both operations if the argument value is unsupported, so adding the missing step to authenticatorGetAsserion would not affect compatibility with CTAP.

[nadalin]

@emlun un you MUST, we don't have alternatives to MUSTS, suggest to close no action

[emlun]

Sorry, I don't understand what you mean by this:

un you MUST, we don't have alternatives to MUSTS

[emlun]

Decided on 2018-07-11 WG call to close this.

[emlun]

This situation should not happen because the client algorithm specifies

If options.userVerification is set to required and the authenticator is not capable of performing user verification, continue.