[Webkit-unassigned] [Bug 204111] New: User Verification (UV) option present on a CTAP2 authenticatorMakeCredential while the authenticator has not advertised support for it
bugzilla-daemon at webkit.org
bugzilla-daemon at webkit.org
Tue Nov 12 05:16:02 PST 2019
https://bugs.webkit.org/show_bug.cgi?id=204111
Bug ID: 204111
Summary: User Verification (UV) option present on a CTAP2
authenticatorMakeCredential while the authenticator
has not advertised support for it
Product: WebKit
Version: Safari 13
Hardware: All
OS: All
Status: NEW
Severity: Normal
Priority: P2
Component: WebCore Misc.
Assignee: webkit-unassigned at lists.webkit.org
Reporter: kostas at yubico.com
The latest public FIDO2 CTAP spec mandates authenticators to terminate any ongoing procedures with CTAP2_ERR_UNSUPPORTED_OPTION if any of the options passed are not supported by the authenticator. In this case, a CTAP2 authenticatorMakeCredential from Safari sets the UV option to FALSE even if the authenticator never advertised support for it in authenticatorGetInfo response. The expected behavior here would be to not include the UV option at all since it is not supported (and not set it to FALSE or TRUE). See chapter 5.3 in latest FIDO2 CTAP spec, step 3 in the procedure of authenticatorMakeCredential and step 5 in the procedure for authenticatorGetAssertion. Please note, that the above is applicable to the authenticatorGetAssertion requests as well.
Latest public spec: https://fidoalliance.org/specs/fido-v2.0-ps-20190130/fido-client-to-authenticator-protocol-v2.0-ps-20190130.html
--
You are receiving this mail because:
You are the assignee for the bug.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.webkit.org/pipermail/webkit-unassigned/attachments/20191112/944173eb/attachment.htm>
More information about the webkit-unassigned
mailing list