[Webkit-unassigned] [Bug 204111] New: User Verification (UV) option present on a CTAP2 authenticatorMakeCredential while the authenticator has not advertised support for it

Tue Nov 12 05:16:02 PST 2019

https://bugs.webkit.org/show_bug.cgi?id=204111

            Bug ID: 204111
           Summary: User Verification (UV) option present on a CTAP2
                    authenticatorMakeCredential while the authenticator
                    has not advertised support for it
           Product: WebKit
           Version: Safari 13
          Hardware: All
                OS: All
            Status: NEW
          Severity: Normal
          Priority: P2
         Component: WebCore Misc.
          Assignee: webkit-unassigned at lists.webkit.org
          Reporter: kostas at yubico.com

The latest public FIDO2 CTAP spec mandates authenticators to terminate any ongoing procedures with CTAP2_ERR_UNSUPPORTED_OPTION if any of the options passed are not supported by the authenticator. In this case, a CTAP2 authenticatorMakeCredential from Safari sets the UV option to FALSE even if the authenticator never advertised support for it in authenticatorGetInfo response. The expected behavior here would be to not include the UV option at all since it is not supported (and not set it to FALSE or TRUE). See chapter 5.3 in latest FIDO2 CTAP spec, step 3 in the procedure of authenticatorMakeCredential and step 5 in the procedure for authenticatorGetAssertion. Please note, that the above is applicable to the authenticatorGetAssertion requests as well.

Latest public spec: https://fidoalliance.org/specs/fido-v2.0-ps-20190130/fido-client-to-authenticator-protocol-v2.0-ps-20190130.html

-- 
You are receiving this mail because:
You are the assignee for the bug.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.webkit.org/pipermail/webkit-unassigned/attachments/20191112/944173eb/attachment.htm>