Skip to content

Commit

Permalink
Merge pull request #1907 from w3c/1791-enforce-be-bs-flag-states
Browse files Browse the repository at this point in the history
Define RP processing of be and bs flags during `.create()` and `.get()`
  • Loading branch information
MasterKale authored Aug 9, 2023
2 parents 5bd3dd1 + 4514f5f commit 6b68667
Showing 1 changed file with 11 additions and 2 deletions.
13 changes: 11 additions & 2 deletions index.bs
Original file line number Diff line number Diff line change
Expand Up @@ -5340,6 +5340,8 @@ In order to perform a [=registration ceremony=], the [=[RP]=] MUST proceed as fo
1. If the [=[RP]=] requires [=user verification=] for this registration,
verify that the [=authData/flags/UV=] bit of the <code>[=flags=]</code> in |authData| is set.

1. If the [=authData/flags/BE=] bit of the <code>[=flags=]</code> in |authData| is not set, verify that the [=authData/flags/BS=] bit is not set.

1. If the [=[RP]=] uses the credential's [=backup eligibility=] to inform its user experience flows and/or policies, evaluate the
[=authData/flags/BE=] bit of the <code>[=flags=]</code> in |authData|.

Expand Down Expand Up @@ -5565,12 +5567,19 @@ a numbered step. If outdented, it (today) is rendered as a bullet in the midst o
verify that the [=authData/flags/UV=] bit of the <code>[=flags=]</code> in |authData| is set.
Otherwise, ignore the value of the [=authData/flags/UV=] [=flag=].

1. If the [=authData/flags/BE=] bit of the <code>[=flags=]</code> in |authData| is not set, verify that the [=authData/flags/BS=] bit is not set.

1. If the credential [=backup state=] is used as part of [=[RP]=] business logic or policy,
let |currentBe| and |currentBs| be the values of the [=authData/flags/BE=] and [=authData/flags/BS=] bits, respectively,
of the <code>[=flags=]</code> in |authData|.
Compare |currentBe| and |currentBs| with
<code>|credentialRecord|.[$credential record/backupEligible$]</code> and <code>|credentialRecord|.[$credential record/backupState$]</code>
and apply [=[RP]=] policy, if any.
<code>|credentialRecord|.[$credential record/backupEligible$]</code> and <code>|credentialRecord|.[$credential record/backupState$]</code>:

1. If <code>|credentialRecord|.[$credential record/backupEligible$]</code> is set, verify that |currentBe| is set.

1. If <code>|credentialRecord|.[$credential record/backupEligible$]</code> is not set, verify that |currentBe| is not set.

1. Apply [=[RP]=] policy, if any.

Note: See [[#sctn-credential-backup]] for examples of how a [=[RP]=] might process the [=authData/flags/BS=] [=flag=] values.

Expand Down

0 comments on commit 6b68667

Please sign in to comment.