search

w3c / webauthn

Web Authentication: An API for accessing Public Key Credentials
https://w3c.github.io/webauthn/
Other
1.18k stars 171 forks source link

authenticatorGetAssertion has no ConstraintError step for requireUserVerification #983

Closed emlun closed 6 years ago

emlun commented 6 years ago

authenticatorMakeCredential has the step

  1. If requireUserVerification is true and the authenticator cannot perform user verification, return an error code equivalent to "ConstraintError" and terminate the operation.

authenticatorGetAssertion also has a requireUserVerification parameter, but no equivalent step returning a "ConstraintError" if it is not supported. Step 7 reads

  1. [...]

If requireUserVerification is true, the method of obtaining user consent MUST include user verification.

[...]

but leaves unspecified what should happen if this MUST cannot be satisfied.

CTAP does return identical error codes from both operations if the argument value is unsupported, so adding the missing step to authenticatorGetAsserion would not affect compatibility with CTAP.

nadalin commented 6 years ago

@emlun un you MUST, we don't have alternatives to MUSTS, suggest to close no action

emlun commented 6 years ago

Sorry, I don't understand what you mean by this:

un you MUST, we don't have alternatives to MUSTS

emlun commented 6 years ago

Decided on 2018-07-11 WG call to close this.

emlun commented 6 years ago

This situation should not happen because the client algorithm specifies

If options.userVerification is set to required and the authenticator is not capable of performing user verification, continue.