-
Notifications
You must be signed in to change notification settings - Fork 172
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
#getAssertion alg needs to pass authenticator selection requirements to authenticatorGetAssertion operation #644
Comments
@equalsJeffH We are not doing any authenticator selection enhancements in this release, yiu can use the extensions to do what you need for now. |
It's not an enhancement. You will need to pass the UV bit in getAssertion or else the authenticator won't know whether or not to enforce UV and ask for a PIN, etc. |
It's an oversight left over from when we added UV to create() but forgot to do the same for get() |
Actually it looks intentional to me - §5.4.4 Authenticator Selection Criteria reads:
Note the and future "make an assertion" operations. |
That said, I support adding UV as a parameter to get() also. |
I agree with adding this, too. |
@leshi: I was referring to comments in #629 (comment) |
Thanks for pointing that out, @emlun. I appreciate you taking the time to find this in the spec! ^_^ Let me rewind the clock a bit, take us all back in time. The reason we added a UV bit in the signature format way back when was so that a key can be created with UV, but then use by the RP sometimes with and sometimes without user verification. The alternative was to create two keys (one to be used with UV and one to be used without), but we all decided that this was a bad idea. In any case, as currently defined (see note from @emlun above), it is impossible to sometimes generate assertions with UV and sometimes without using the same key. Also, as currently defined, we won't be able to support future use cases such as silent authenticators, uv caching, etc. |
Let's separate silent behavior from "uv" discussion. We don't want that ever to happen. and corresponding option is "up" and not "uv". We won't be able to support any design which cannot achieve this requirement. "UV" caching is different and I don't think we are ready for it in this version and we should target next version for this. Regarding "uv", conversation is slightly complex. As I said in #629, one workflow where RP can decide whether they care or not about "uv" or not is when they receive the signature. In another workflow, where RP always want it, it can reject that signature if authenticator is not capable of doing it. Only case where RP does not really need user verification to happen, current API does not support that semantics when a UV capable authenticators comes along. This also is tricky, as RP does not know what kind of authenticator user will plug it in, when RP just asks for assertion without providing any credential ID (without any userID knowledge flows). In that sense, RP is just asking me tell me what you have (what credential, whether UV is set or not etc). RP cannot decide in advance what kind of user it is and what kind of authenticator he/she has and correspondingly does not provide any allowed credentialID list . Anyway, looks like current design does not support one use case where RP does not want user verification to happen every-time it asks for assertion. For all other cases, signature reflects what you got and RP can act on it. If people really care about that scenario, below proposal IMO achieves all above cases. enum name of
|
I propose renaming the |
What we are discussing is platform semantics when calling authenticators. Authenticators are still free to send "uv" bit even if platform has not asked for it (for example, in case of face/fingerprint authenticators). |
Now you're contradicting yourself. Your previous comment reads:
Assuming that you mean "Authenticator MUST NOT ask...", I interpret this to mean that the authenticator is indeed not allowed to set the UV bit. |
Ah. I realized the typo in the initial proposal. Apologies. I meant to say "Platform MUST not ask for user verification" instead of "Authenticator MUST not ask for". I edited the comment. For example, some vendor builds a finger print authenticator whose semantics are that it always do user verification before releasing any signature. It may be their differentiation from other authenticators and it is their business decision. Same thing with face authenticators or some other kind. Whatever, it's their business decision. What we are saying is, RP may say that it does not need it ( may be UV/Client PIN semantics brings more user friction for majority of its customers) and platform must not ask for it. It does not mean that RP is going to reject it when authenticators give UV bit anyway because its their only way to release the signature. It is an additional security that RP does not need but can ignore it if that comes and does not harm them. If authenticator supports both type of signatures, (with UV/ClientPin semantics and with only touch), in that case, Platform will not ask for UV/ClientPin semantics and authenticator is free to give with signature without UV bit. |
Just to be clear here, this proposal is not enabling silent authenticators. From our view, enabling silent authenticators is very very dangerous from the RP's perspective and from general user's perspective and we cannot support that. That behavior potentially can be viewed as super cookie with no way to removing it even if user turn on all the knobs. |
Rather than |
wrt "silent authenticators", perhaps discuss over in issue #199 ? |
Let me know. Yeah, lets discuss "silent authenticators" in #199. |
Is there a big enough difference between
|
It is. In one scenario, RP wants to not pop up Client PIN UI/user verification due to friction and it OK with only user presence. In another scenario, RP accepts both type of signatures and as he does not know what kind of user is present, asks for default behavior and acts accordingly. |
Ah, so you mean that the RP may (1) require UV; (2) want, but not require, UV; (3) prefer skipping UV? Then the enum makes a lot of sense. I thought you meant that the RP may (1) require UV; (2) prefer skipping UV; (3) not care at all about UV. In that case there's not really that big a difference between (2) and (3). |
(1: Does it makes sense? |
Note that relevant other issues really ought to be addressed at the same time at this one (cf. #524 (comment)): see also:
|
I can take a stab at this. @equalsJeffH These links seem to be broken...
|
you need to be annointed as a part of https://github.com/fido-alliance org |
Fix #644: Add UV parameter to getAssertion
Ostensibly, RPs want/need to pass authenticatorSelection.requireUserVerification (aka "uv" in CTAP parlance) in the #getAssertion call, per issue #629.
However, authenticatorSelectionCriteria is part of MakePublicKeyCredentialOptions, which is not passed at all to #getAssertion, and thus is not subsequently passed to webauthn's authenticatorGetAssertion operation, which subsequently needs to pass both "uv" and "up" booleans as options to, for example, CTAP's authenticatorGetAssertion command.
See also issue #629
The text was updated successfully, but these errors were encountered: