Define "public key credential" to cover private keys, public keys, an…

…d assertions. Also fix some comments from equalsJeffH.
w3c · Oct 25, 2017 · 47c38f7 · 47c38f7
1 parent 493dd3c
commit 47c38f7
Showing 1 changed file with 43 additions and 34 deletions.
diff --git a/index.bs b/index.bs
@@ -297,6 +297,9 @@ The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "S
 :: The cryptographically signed {{AuthenticatorAssertionResponse}} object returned by an [=authenticator=] as the result of a
     [=authenticatorGetAssertion=] operation.
 
+    This corresponds to the [[CREDENTIAL-MANAGEMENT-1]] specification's single-use <a
+    spec="credential-management">credentials</a>.
+
 : <dfn>Authenticator</dfn>
 :: A cryptographic entity used by a [=[WAC]=] to (i) generate a [=public key credential=] and register it with a [=[RP]=],
     and (ii) [=authentication|authenticate=] by potentially [=user verification|verifying the user=], and then 
@@ -340,14 +343,15 @@ The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "S
     given in this specification, and handling communication between [=authenticators=] and [=[RPS]=].
 
 : <dfn>Credential ID</dfn>
-:: A probabilistically-unique [=byte sequence=] identifying a [=public key credential source=].
+:: A probabilistically-unique [=byte sequence=] identifying a [=public key credential source=] and its [=authentication assertions=].
 
     Credential IDs are generated by [=authenticators=] in two forms:
-    1. Bytes with at least 100 bits of entropy, or
-    1. The [=public key credential source=], without its [=public key credential source/id=] item, encrypted so only the owning
-        authenticator can decrypt it.
+    1. At least 16 bytes that include at least 100 bits of entropy, or
+    1. The [=public key credential source=], without its [=Credential ID=], encrypted so only the owning authenticator can
+        decrypt it. This form allows the [=authenticator=] to be nearly stateless, by having the [=[RP]=] store any necessary
+        state.
 
-    [=[RPS]=] don't need to distinguish these two kinds of Credential IDs.
+    [=[RPS]=] do not need to distinguish these two [=Credential ID=] forms.
 
 : <dfn>Credential Public Key</dfn>
 :: The public key portion of an [=[RP]=]-specific <dfn>credential key pair</dfn>, generated by an [=authenticator=] and
@@ -357,41 +361,46 @@ The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "S
     for details.
 
 : <dfn>Public Key Credential Source</dfn>
-:: A [=credential source=] that can generate [=public key credentials=].
-
-    This consists of a [=struct=] with the following [=struct/items=]:
-    <dl dfn-for="public key credential source">
-        : <dfn>type</dfn>
-        :: A {{PublicKeyCredentialType}}, defaulting to {{public-key}}.
-        : <dfn>id</dfn>
-        :: A [=Credential ID=].
-        : <dfn>privateKey</dfn>
-        :: The [=credential private key=].
-        : <dfn>rpId</dfn>
-        :: The [=Relying Party Identifier=] for the [=[RP]=] that created this credential source.
-        : <dfn>userHandle</dfn>
-        :: The [=user handle=] associated when this credential source was created.
-        : <dfn>otherUI</dfn>
-        :: Other information used by the authenticator to inform its UI. For example, this might include the user's
-            {{displayName}}.
-    </dl>
+:: A [=credential source=] ([[CREDENTIAL-MANAGEMENT-1]]) used by an [=authenticator=] to generate [=authentication assertions=]. A public key credential source has:
 
-    The [=authenticatorMakeCredential=] operation creates [=public key credential sources=] and returns the matching
-    [=credential public key=] with which a [=[RP]=] can verify the [=public key credentials=] it creates.
+    * A [=Credential ID=].
+    * A [=credential private key=].
+    * The [=Relying Party Identifier=] for the [=[RP]=] that created this credential source.
+    * An optional [=user handle=] in which the [=[RP]'s=] describes the person who created this credential source.
+    * Optional other information used by the authenticator to inform its UI. For example, this might include the user's
+        {{displayName}}.
 
+    The [=authenticatorMakeCredential=] operation creates a [=public key credential source=] bound to an [=authenticator=] and
+    returns the [=credential public key=] associated with its [=credential private key=]. The [=[RP]=] can use this [=credential
+    public key=] to verify the [=authentication assertions=] created by this [=public key credential source=].
 
 : <dfn>Public Key Credential</dfn>
-:: An instance of {{PublicKeyCredential}} in which {{PublicKeyCredential/response}} holds an {{AuthenticatorAssertionResponse}}
-    proving possession of a particular [=credential private key=].
 
-    Note: This is a [=willful violation=] of [[RFC4949]]. In English, a "credential" is both a) the thing presented to prove a
-    statement and b) intended to be used multiple times. It's impossible to achieve both criteria with a single piece of data in
-    a public key system. [[RFC4949]] chooses to define a credential as the thing that can be used multiple times (the public
-    key), while this specification chooses to define a credential as the proof.
+:: A WebAuthn [=public key credential=] is either a [=public key credential source=], the
+    possibly-[=attestation|attested=] [=credential public key=] corresponding to a [=public key credential source=], or an
+    [=authentication assertion=]. Which one is generally determined by context.
+
+    <div class="note">
+        Note: This is a [=willful violation=] of [[RFC4949]]. In English, a "credential" is both a) the thing presented to prove
+        a statement and b) intended to be used multiple times. It's impossible to achieve both criteria securely with a single
+        piece of data in a public key system. [[RFC4949]] chooses to define a credential as the thing that can be used multiple
+        times (the public key), while this specification gives "credential" the English term's flexibility. This specification
+        uses more specific terms to identify the data related to an [[RFC4949]] credential:
+
+        : "Authentication information", including the private key
+        :: [=Public key credential source=]
+        : "Signed value"
+        :: [=Authentication assertion=]
+        : [[RFC4949]] "credential"
+        :: [=Credential public key=] or [=attestation object=]
+    </div>
 
-    A [=public key credential=] is created by the [=authenticatorGetAssertion=] operation using a [=public key credential
-    source=] created by a previous [=authenticatorMakeCredential=] call. The [=[RP]=] verifies it using the [=credential public
-    key=] returned from that [=authenticatorMakeCredential=] call via {{PublicKeyCredential/[[Create]]()}}.
+    At [=registration=] time, the [=authenticator=] creates an asymmetric key pair, and stores its [=credential private
+    key|private key portion=] and information from the [=[RP]=] into a [=public key credential source=]. The [=credential public
+    key|public key portion=] is returned to the [=[RP]=], who then stores it in conjunction with the present user's account.
+    Subsequently, only that [=[RP]=], as identified by its [=RP ID=], is able to employ the [=public key credential=] in
+    [=authentication|authentication ceremonies=], via the {{CredentialsContainer/get()}} method. The [=[RP]=] uses its stored
+    copy of the [=credential public key=] to verify the resultant [=authentication assertion=].
 
 : <dfn>Rate Limiting</dfn>
 :: The process (also known as throttling) by which an authenticator implements controls against brute force attacks by limiting