CTAP 2.3 (rebased)#60
Conversation
…option Fix error codes and check order.
…forcePINChange Use From instead of as usize for u8 conversion
…edential (§10.1.2.1)
…ull implementation
0x0ece
force-pushed
the
0x0ece/ctap-rebased
branch
from
be809a1 to
ce6c884
Compare
…PIN under forcePINChange + align setPin/getPinToken error codes
0x0ece
force-pushed
the
0x0ece/ctap-rebased
branch
from
ce6c884 to
71b3b07
Compare
| // CTAP 2.3 §7.7: replace the legacy 10-second boot window with a | ||
| // continuous ≥5 s "long touch". The runner is responsible for timing | ||
| // the press and surfacing `consent::Level::Strong` here when the user | ||
| // holds the button long enough; anything weaker results in | ||
| // `OperationDenied`. |
There was a problem hiding this comment.
Where do you read that the 10-second boot window is unnecessary with the long touch? § 6.6 still contains the requirement:
Additionally:
[…]
- In case of authenticators with no display, request MUST have come to the authenticator within 10 seconds of powering up of the authenticator.
[…]
If all conditions are met, the authenticator returns CTAP2_OK. … If the request comes after 10 seconds of powering up, the authenticator returns CTAP2_ERR_NOT_ALLOWED.
There was a problem hiding this comment.
Also we would like to stick with the old behavior at the moment so this should be configurable.
There was a problem hiding this comment.
Oh I just interpreted as "the spec finally says how to do it, so we can remove the custom way", but I don't have a strong opinion.
To clarify, you'd like to have both the 10s boot AND the long press as 2 paths? (basically long press is ctap23, and in addition we have the 10s boot?) If that's the case we can keep it, no need to complicate our lives and have configurations imo.
If you mean you'd like to have only the 10s, and not have the long press at all, then we should prob try out the integration tests.
There was a problem hiding this comment.
I’m not sure what you mean with the “custom way”. CTAP 2.1 already specified the 10 second window after boot in § 6.6. My understanding is that we should always have the 10 second window to be compliant with CTAP 2.3.
For the NK3, I’d like to stick with the normal touch confirmation without the option to switch to long touch for the moment. So my suggestion would be to have a Config field that decides whether a short or a long touch is used (and thus whether the enableLongTouch command is available). Optionally, we could also make it configurable whether the default is short or long touch if long touch is supported, but I’m also fine with only using the long touch if it is enabled.
|
To do:
|
2 participants
No description provided.