-
Martin Kreichgauer authored
See https://www.w3.org/TR/webauthn/#sec-authenticator-data. AFAIU, the spec is not exactly clear whether or not to set this bit from a user verifying authenticator. It says that the bit should be set if the user is "present", which is defined as having successfully completed a "user presence test". User presence test is defined separately from user verification test (which is what Touch ID does). Logically, a user verification test always includes a user presence test, but the spec doesn't say so explicitly. Regardless of what the spec says, setting both bits seems less likely to confuse server implementations IMO. A naive server e.g. might *just* check for the UP bit, and if it is not set reject the response, even though the UV bit is set. Hence, we should probably set both. Bug: 678128 Change-Id: I02be366dba324e4f9b83ba0d354a674242fc72dc Reviewed-on: https://chromium-review.googlesource.com/1137216 Commit-Queue: Martin Kreichgauer <martinkr@google.com> Reviewed-by:
Kim Paulhamus <kpaulhamus@chromium.org> Cr-Commit-Position: refs/heads/master@{#575386}
9be10b62
