Authnr selection aaguidlist #479
Conversation
… from extensions!
|
The big PR 442 was split into smaller PRs. This is the one addressing aaguidList |
index.bs
Outdated
| @@ -1067,8 +1068,21 @@ associated. | |||
| :: This member describes the [=[RPS]=]' requirements regarding availability of the [=Client-side-resident Credential | |||
| Private Key=]. If the parameter is set to true, the authenticator MUST create a | |||
| [=Client-side-resident Credential Private Key=] when creating a [=public key credential=]. | |||
|
|
|||
| : <dfn>aaguidList</dfn> | |||
| :: If this member is [=present|present=], eligible authenticators are filtered to the ones identified by matching | |||
There was a problem hiding this comment.
AAGUID filtering needs to happen as a step in https://w3c.github.io/webauthn/#op-make-cred or https://w3c.github.io/webauthn/#createCredential depending on whether the Client or Authenticator has the relevant information, not in the definition of the dictionary field.
At this stage, we already have seen that there is a need to the RP to influence the authenticator selection in order to improve the user experience. As a consequence we have been adding the AuthenticatorSelectionCriteria object to the core specification. The discussion regarding the fields in AuthenticatorSelectionCriteria shows that it is difficult to determine now what the right criteria for authenticator selection will be in the future. So in my opinion there is substantial value for one generic method allowing the RP to formulate any rule for influencing the authenticator selection.
The AAGUID was introduced as an abstraction for the authenticator model name. I think it is less bulky to send over a (potentially large) list of AAGUIDs than sending over a (potentially) even larger list of acceptable attestation certificates. |
index.bs
Outdated
| @@ -598,6 +598,8 @@ When this method is invoked, the user agent MUST execute the following algorithm | |||
| to |authenticator|'s attachment modality, [=iteration/continue=]. | |||
| 1. If {{AuthenticatorSelectionCriteria/requireResidentKey}} is set to |true| and the |authenticator| | |||
| is not capable of storing a [=Client-Side-Resident Credential Private Key=], [=iteration/continue=]. | |||
| 1. If {{AuthenticatorSelectionCriteria/aaguidList}} is [=present|present=] and the | |||
| to |authenticator|'s AAGUID protection method is not included in that list, [=iteration/continue=]. | |||
There was a problem hiding this comment.
what's a "AAGUID protection method"?
There was a problem hiding this comment.
Copy&paste error. Corrected that
|
Can someone explain how AAGUIDs are used today? I personally am not aware of any authenticators that use AAGUIDs, so I would be inclined to not include this functionality in the spec. But I do think such authenticators exist. Can @rlin1 or someone else explain how this functionality would be used? What could you do that you can't do without this PR, and why is that important? |
|
TODO: add reference to FIDO Metadata Service as an example on where/how to get information on authenticator models. |
|
Response to #479 (comment): I am not aware of any webauthn authenticators today. I am aware of UAF and U2F authenticators. In UAF the RP is able to influence Authenticator selection for "makeCredential" based on the AAID (and other criteria). The authenticator selection-based AAID can be used to support arbitrary criteria to be implemented by the RP - even without requiring dedicated support for that in the API. I don't know how the RP could do that in U2F or in WebAuthentication - without this aaguidList approach. |
|
Please update this by 6/27 so we can discuss on 6/28 call |
|
changes requested by @leshi have been addressed. |
|
please merge-from-master (into this branch) and fix build errors, to facilitate further reviews, thx. |
|
I merged-from-master and fixed conflicts. |
There was a problem hiding this comment.
Overall this seems fine to me, we already state in #authenticator-model that "Each authenticator has an AAGUID...". As specified here, using the AAGUID for authnr selection is optional. And it could be helpful for enterprise use cases.
A meta-level question is whether having an AAGUID is mandatory for webauthn authnrs. The above-quoted statement does not use RFC2119 language. We could punt to FIDO Authnr Certification requirements, and not stipulate whether AAGUID is mandatory-to-impl here in the webauthn spec.
Given our discussions concerning what became #attestation-convey, and its defaulting to "none", consumer-space RPs will not be able to rely on knowing users' authnrs' AAGUIDs.
So whether or not AAGUIDs are actually MTI for authnrs, many RPs will not receive them, i.e., they are optionally available to RPs in any case. That ought to be made clear whether or not we decide to accept this PR, because AAGUID-based selection is presently a defined extension.
|
Overall, this PR looks fine to me but this is breaking WD07 which we all agreed was feature complete and probably not needed. Correct me if I am wrong here. There are two kinds of RPs, one who care about particular authenticators (for whatever reason, legal or otherwise and I don't want to rehash that discussion) and ones who don't care. Both of these can be addressed by current spec via direct attestation or null attestation(default case). This PR will short circuit faster (platform deciding earlier instead of RP) but essentially both ways achieve the same thing. If I remember correctly, there are other selection criterias (in addition to AAGUID) also which were pushed to L2 sometime back. Should we take care of this in L2 or do we need it now? |
|
Decided on call to move to L2. |
|
Per 03/07/19 F2F Close |
Close #478
Preview | Diff