§6.1. Steps to generate authenticator data should include BE and BS flags

w3c / webauthn

Web Authentication: An API for accessing Public Key Credentials

https://w3c.github.io/webauthn/

Other

1.19k stars 178 forks source link

§6.1. Steps to generate authenticator data should include BE and BS flags #2064

Closed emlun closed 2 months ago

emlun commented 6 months ago

Proposed Change

§6.1. Authenticator Data defines a procedure "Authenticators perform the following steps to generate an authenticator data structure", which includes the step:

The UP flag SHALL be set if and only if the authenticator performed a test of user presence. The UV flag SHALL be set if and only if the authenticator performed user verification. The RFU bits SHALL be set to zero.

This step, or perhaps a new subsequent step, should also reference setting the BE and BS flags.

emlun commented 6 months ago

Related: #2063

zacknewman commented 6 months ago

Just want to make sure that SHOULD is used instead of SHALL if it's not required for RPs to enforce that BE and BS are not 0 and 1 respectively. As the linked issue explains, the RFU bits are not supposed to be enforced to be 0; however Authenticators perform the following steps to generate an authenticator data structure mistakenly states they SHALL (i.e., MUST) be 0.

emlun commented 6 months ago

It is correct that authenticators SHALL set the RFU bits to zero, but as discussed in https://github.com/w3c/webauthn/issues/2063#issuecomment-2085263218, RPs should not enforce this as that would break those RPs if these bits are allocated in the future (unless the RP wants that breakage to happen, of course).