Summary: | [WebAuthn] Don't set the UV option if the authenticator doesn't support it | ||||||||||
---|---|---|---|---|---|---|---|---|---|---|---|
Product: | WebKit | Reporter: | login Llama <loginllama> | ||||||||
Component: | WebKit Misc. | Assignee: | Jiewen Tan <jiewen_tan> | ||||||||
Status: | RESOLVED FIXED | ||||||||||
Severity: | Normal | CC: | bfulgham, darin, duwoka, jiewen_tan, navindra, webkit-bug-importer | ||||||||
Priority: | P2 | Keywords: | InRadar | ||||||||
Version: | Safari Technology Preview | ||||||||||
Hardware: | iPhone / iPad | ||||||||||
OS: | Unspecified | ||||||||||
Bug Depends on: | |||||||||||
Bug Blocks: | 181943 | ||||||||||
Attachments: |
|
Description
login Llama
2020-08-25 20:31:34 PDT
I retested with with iOS developer beta 6, and as expected the behavior is the same. The spec suggests: "user verification: Instructs the authenticator to require a gesture that verifies the user to complete the request. Examples of such gestures are fingerprint scan or a PIN." The "PIN" mentioned there is confusing with ClientPIN. Should we fix this confusing text in CTAP 2.1 as well? @John, what do you think? *** Bug 216180 has been marked as a duplicate of this bug. *** *** Bug 214266 has been marked as a duplicate of this bug. *** Created attachment 408682 [details]
Patch
Created attachment 409111 [details]
Patch
Each authentication requires a test of user presence. In some cases the user verification method also provides the test of user presence such as a fingerprint. The clientPIN is never considered a test of user presence. Now in CTAP2.1 with the pinUvAuthToken the explanation has been almost totally re-written. There is still some up caching text that Jeff is still working on so it is not totally merged. RD02 should be available shortly. Let me know if you think it is still confusing. (In reply to login Llama from comment #8) > Each authentication requires a test of user presence. > > In some cases the user verification method also provides the test of user > presence such as a fingerprint. > > The clientPIN is never considered a test of user presence. > > Now in CTAP2.1 with the pinUvAuthToken the explanation has been almost > totally re-written. > > There is still some up caching text that Jeff is still working on so it is > not totally merged. > > RD02 should be available shortly. Let me know if you think it is still > confusing. Sure. Comment on attachment 409111 [details] Patch View in context: https://bugs.webkit.org/attachment.cgi?id=409111&action=review > Source/WebCore/ChangeLog:14 > + If an authetnicator supports ClientPin, it can set the uv bit in the responses to true but it typo: authenticator Comment on attachment 409111 [details] Patch View in context: https://bugs.webkit.org/attachment.cgi?id=409111&action=review Thanks Darin for r+ this patch. >> Source/WebCore/ChangeLog:14 >> + If an authetnicator supports ClientPin, it can set the uv bit in the responses to true but it > > typo: authenticator Fixed. Created attachment 409315 [details]
Patch for landing
Committed r267369: <https://trac.webkit.org/changeset/267369> All reviewed patches have been landed. Closing bug and clearing flags on attachment 409315 [details]. |