webauthn
webauthn copied to clipboard
w3c
§6.1. Steps to generate authenticator data should include BE and BS flags
Proposed Change
§6.1. Authenticator Data defines a procedure "Authenticators perform the following steps to generate an authenticator data structure", which includes the step:
- The UP flag SHALL be set if and only if the authenticator performed a test of user presence. The UV flag SHALL be set if and only if the authenticator performed user verification. The RFU bits SHALL be set to zero.
This step, or perhaps a new subsequent step, should also reference setting the BE and BS flags.
Just want to make sure that SHOULD is used instead of SHALL if it's not required for RPs to enforce that BE and BS are not 0 and 1 respectively. As the linked issue explains, the RFU bits are not supposed to be enforced to be 0; however Authenticators perform the following steps to generate an authenticator data structure mistakenly states they SHALL (i.e., MUST) be 0.
It is correct that authenticators SHALL set the RFU bits to zero, but as discussed in https://github.com/w3c/webauthn/issues/2063#issuecomment-2085263218, RPs should not enforce this as that would break those RPs if these bits are allocated in the future (unless the RP wants that breakage to happen, of course).