Define Public Key Credential Source and Credential ID.

[jyasskin]

This also broadens the definition of "Public Key Credential" to include the several ways it's used, including the private key, attested public key, and assertion. This is a willful violation of RFC4949.

Credential ID is defined to explicitly include the possibility that it's the encrypted Credential Source.

---

Preview (#credential-i…) (#public-key-c…) (#public-key-c…) | Diff

[emlun]

You're right @jyasskin, #393 does define credentialId which would kind-of conflict with this one. I'll narrow the scope on the one in #393 somehow.

[jyasskin]

@rlin1 You've got a bunch of comments on #623 that are actually about this change.

The basic issue is about what to call the 3 things involved with using a credential:

1. The secret or capability that the client possesses.
2. The proof that the client has the secret/capability.
3. The thing that lets the RP verify the proof.

We have a couple different kinds of credentials, and I want the terms to be consistent across them. I think I'm fine with your suggestion of:

1. Credential
2. Assertion (We'd probably have to call this a "Credential Assertion" in general, but we could use the shorthand within this spec.)
3. No suggestion, but I'd say maybe "Credential Verifier"?

I think those work for passwords (the password is all three) and for SMS auth (1: SIM card; 2&3: OTP).

One difficulty is that credentials.get() returns a Credential rather than a CredentialAssertion, but we could just live with that inconsistency.

@mikewest, how do you feel about these names if I were to send a patch to Credential Manager?

[nadalin]

@jyasskin any reason why this can't be merged ?

[jyasskin]

@nadalin: Yes. @rlin1 objected to the particular definitions I wrote, and I haven't yet modified the definitions to match his preference. (The group could also say to override his preference, but I don't expect that outcome.)

[mikewest]

@mikewest, how do you feel about these names if I were to send a patch to Credential Manager?

Today, the CM API calls the thing that's handed to an origin to authenticate a user a Credential. It sounds like you'd like to change that to Credential Assertion or Assertion? And call the underlying secret thing that enables generation of the assertion Credential? I think I'm ok with that distinction, but we'll have to figure out what the web-facing implementation would look like (we're using Credential today for the thing I think you want to call Assertion, for instance).

[nadalin]

@jyasskin This seems like a breaking change if we change at this point, not sure this is a wise thing to do as we don't gain much from this

[jyasskin]

@mikewest That's right, and now that I'm thinking about this again, I'm not sure why I was generally positive on @rlin1's suggested naming (although I still don't hate it). We (Mike and I) talked about this during the merge, and decided that we should use the short name ("Credential") for the concept that's actually used by Javascript. Using Assertion in Javascript is probably not ok, since there can be other kinds of assertions, and using CredentialAssertion in JS when JS never sees Credential is kinda confusing.

I won't be at the WebAuthn meeting Wednesday, but I'd appreciate if the group could develop an opinion about the naming choices and report back. The choices so far are, for the capability/proof-of-possession/verifier:

1. My "Credential Source"/"Credential"/"Credential Verifier"
2. @rlin1's "Credential"/"Credential Assertion"/"Credential Verifier"

We could also use the "Credential Assertion" terminology in WebAuthn, but still call the type Credential in Javascript, although that might be confusing.

@nadalin I'm not sure what changes in here look breaking. This patch is just a bunch of definitions. Renaming the Credential type is breaking, but that's not proposed yet.

[mikewest]

We could also use the "Credential Assertion" terminology in WebAuthn, but still call the type Credential in Javascript, although that might be confusing.

That does seem confusing.

I'd be happiest with your #1 ("Credential Source"/"Credential"/"Credential Verifier"), given that I'm reluctant to change the web-exposed JS interface at this point.

[emlun]

I think "Credential Source" is technically correct but intuitively feels more like something that creates private keys. How about "Identity"? As in, an authenticator contains/represents an identity and generates credentials proving that identity. That also happens to match up neatly with "credential ID".

[nadalin]

@jyasskin OK, I thought I was reading that from what @mikewest was posting

[akshayku]

Looks good to me.

[equalsJeffH]

I am reviewing this and PR #623

[equalsJeffH]

It looks like this branch needs a merge-from-master -- will it help if I do that? I think i have contributor perms to jyassking/webauthn.

[jyasskin]

@emlun If I understand correctly, "identity" has other connotations that we don't want to apply to the private key owned by an authenticator, even though I agree that the private key can be used to authenticate as an identity.

@equalsJeffH I've rebased, but I haven't gone through @rlin1's comments to see what other terminology we should update if we stick with "Credential Source" as the name of the private key and associated information. If you can endorse particular items, I'll update their names in a new commit.

• Credential ID -> Credential Source ID
• assertion -> credential globally
• PublicKeyCredentialDescriptor -> PublicKeyCredentialSourceDescriptor

[selfissued]

This looks OK to me.

[equalsJeffH]

@jyasskin: if I understand correctly, you are suggesting these further changes to add to this PR..

• Credential ID -> Credential Source ID
• assertion -> credential globally
• PublicKeyCredentialDescriptor -> PublicKeyCredentialSourceDescriptor

..yes?

Those above suggestions would be breaking changes. It might be possible to convince folks to do "Credential ID -> Credential Source ID" -- it would only (breaking) change credentialidlength and credentialid in section #sec-attested-credential-data.

Otherwise, IIUC, I do not support the other two changes at this time, and am not sure they would buy us that much in general. Those latter two changes, especially renaming "assertion", would be quite invasive, both editorially and technically (ie, in renaming API components, section names, terminology, etc, senses).

In any case, I have detail-level comments that I'm working on entering in that I generally support this PR's present substance.

[jyasskin]

@equalsJeffH Sounds good. I'm happy not adding any extra changes to this PR too; just wanted to get an explicit opinion on @rlin1's apparent suggestions.

[equalsJeffH]

Thanks for taking a stab at this @jyasskin. I think I understand and generally agree with your desire to reconcile terminology between webauthn and credential-management -- especially the notion of credential source.

But overall it seems ok for there to be a bit of a terminology impedance mismatch between webauthn and credential-management: e.g., a webauthn assertion is an example what credman terms a single-use credential.

I have a bunch of detail-level comments below but I have given up on them and propose I submit a proposed in-whole build on these Credential ID, Credential public key, public key cred source, and public key cred definitions. (so the comments below are sort of hints wrt what I'm thinking)

Though, if we truly are not going to make any breaking renaming changes between this and PR #623 (I have comments to also submit on that), then I think we can punt this to CR and I can craft up the proposal after completing what I need to yet do for WD-07.

WDYT?

[equalsJeffH]

what would the be min length for 100 bits of entropy? I am thinking there ought to be a not-less-than-this-number-of-bytes stipulation here along with the "with at least 100 bits of entropy" stipulation.

[jyasskin]

"At least 16 bytes"?

I don't think this actually gains us much vs the obvious 13 bytes needed to store 100 bits. RPs can't optimize based on knowing they'll always use at least 16 bytes, and a broken authenticator that gives fewer bits of entropy wouldn't also return fewer bytes to flag that.

[equalsJeffH]

hm. this seems to be suggesting to wrap (ie, bundle up & encrypt) a whole passel of stuff to form the Credential ID, given what all is listed in the [=public key credential source=] definition.

In U2F, only the private key and appID are wrapped. In UAF, the wrapped tuple is ( KHAccessToken, cred private key (UAuth.priv), userhandle size, userhandle ).

We need to explicitly decide what is wrapped for "webauthn authenticators".

Also, we ought to provide some guidance on key wrapping algs and such. Either we should cite e.g. [SP800-57] and [SP800-38F] as UAF does, or perhaps just cite FIDO Authenticator Allowed Cryptography List

[jovasco]

In U2F, there is no definition of what is inside a key handle. It is defined as an opaque blob of up to 256 bytes (but private key and AppID are a functional minimum). It just says these fields MAY be included.

I believe webauthn should not try to define what is inside this blob. The contents will depend on the authenticator needs (with or without display, first or second factor, local storage, supported extensions, ...). It's pretty obvious what to include based on what the vendor chooses to support. I believe trying to define it will either impose unnecessary limits or just be stating the obvious. It can't be verified anyway.

As for guidance of how it is wrapped: make sure it cannot collide with the requirements of the FIDO security requirements working group.

[jyasskin]

Fundamentally, the list here is the private key, the rpId (which is equivalent to the appID and I think also to the KHAccessToken), the user handle, and optional extra information to inform any UI the authenticator might expose. I think the user handle should also be optional to accommodate U2F. Are there any other fields we should explicitly call out here?

I'd rather have a separate PR to constrain the key-wrapping algorithms. For that change ... I'm not confident we should constrain those, although non-normatively referring to the Allowed Cryptography list seems fine. Is that list going to keep updating in the future as new vulnerabilities are discovered and new algorithms are invented? What's the stable reference to it? Will it be an IANA registry?

[equalsJeffH]

I would have more description of the purposful difference between the two forms. the 2nd form allowing an authnr to be more or less stateless by storing the state back with the RP server. We ought to say this explicitly.

[jyasskin]

I've added a rough description of this benefit of the second form.

[equalsJeffH]

suggest:
[=[RPS]=] do not need to distinguish these two [=redential ID=] forms.

[jyasskin]

Done.

[equalsJeffH]

Hm. We've been trying to keep the explanatory/intro text free of gnarly code-like details, and link to the latter as appropriate. I note that the above struct layout is duplicated down in section authenticatorMakeCredential (#op-make-cred) over in PR #623. I'm thinking that the latter (or nearby there) is the correct place for it, rather than here in terminology section.

[jyasskin]

Ok, done. Thanks for pushing back when explanatory sections are too code-like.

[equalsJeffH]

suggest:
The [=authenticatorMakeCredential=] operation creates [=public key credential sources=] bound to the [=authenticator=] and returns the associated

[jyasskin]

I've reworded this a little more, but included your suggestion.

[equalsJeffH]

well, there's two flavors of PK Cred returned -- an attested one from #createCredential aka [[Create]](), and an asserted proof-of-possession one (i.e., an assertion) from #getAssertion aka [[DiscoverFromExternalSource]]().

I'm wondering whether we can use the qualified terms "attested public key credential" and "public key credential assertion" (aka: an assertion in short form) to distinguish them.

[jyasskin]

We have terms for both of those uses ("attestation object" and "authentication assertion"), so I'd rather not define additional synonyms.

[equalsJeffH]

ok

[equalsJeffH]

i think this is important to note, thanks. tho, RFC4949 is only "Informational", so not strictly necessary to call out, but I think it is a good idea to do so.

[equalsJeffH]

suggest:
s/criteria/criteria securely/

[jyasskin]

Done.

[equalsJeffH]

I do not think we can at this time reasonably change "assertion" to be "public key credential", which is what the above statement is attempting, IIUC.

Plus, we have designed the PublicKeyCredential object such that it may be used to convey attested credential data (at credential source creation time) or not (at assertion generation time).

suggest:
A [=credential source=] used by an [=authenticator=] to generate [=authentication assertions=].

[jyasskin]

Done.

Per 2017-10-25 meeting discussion, I've updated the whole change to use "assertion" where it had been using "credential", and to treat "credential" as the union of "assertions" and "credential sources".

[equalsJeffH]

reviewed: #620 (review)

[equalsJeffH]

also on pr #620, i would like to find a way to retain a fair bit of the current public key credential terminology definition rather than just supplanting it, thanks.

[jyasskin]

@equalsJeffH I've tried to keep more of the current "public key credential" definition.

[jyasskin]

I've added a rough description of this benefit of the second form.

[jyasskin]

"At least 16 bytes"?

I don't think this actually gains us much vs the obvious 13 bytes needed to store 100 bits. RPs can't optimize based on knowing they'll always use at least 16 bytes, and a broken authenticator that gives fewer bits of entropy wouldn't also return fewer bytes to flag that.

[jyasskin]

Fundamentally, the list here is the private key, the rpId (which is equivalent to the appID and I think also to the KHAccessToken), the user handle, and optional extra information to inform any UI the authenticator might expose. I think the user handle should also be optional to accommodate U2F. Are there any other fields we should explicitly call out here?

I'd rather have a separate PR to constrain the key-wrapping algorithms. For that change ... I'm not confident we should constrain those, although non-normatively referring to the Allowed Cryptography list seems fine. Is that list going to keep updating in the future as new vulnerabilities are discovered and new algorithms are invented? What's the stable reference to it? Will it be an IANA registry?

[jyasskin]

Done.

[jyasskin]

Done.

Per 2017-10-25 meeting discussion, I've updated the whole change to use "assertion" where it had been using "credential", and to treat "credential" as the union of "assertions" and "credential sources".

[jyasskin]

Ok, done. Thanks for pushing back when explanatory sections are too code-like.

[jyasskin]

I've reworded this a little more, but included your suggestion.

[jyasskin]

Done.

[jyasskin]

We have terms for both of those uses ("attestation object" and "authentication assertion"), so I'd rather not define additional synonyms.

[equalsJeffH]

overall LGTM -- I do have some detail-level comments, thanks :)

[equalsJeffH]

wrt "encrypted": we need to specify/reference key-wrapping criteria. E.g., see the "Cryptographic (Crypto) Kernel", "KeyHandle", and "Wrap.sym" sections of the table at https://fidoalliance.org/specs/fido-uaf-v1.1-id-20170202/fido-uaf-authnr-cmds-v1.1-id-20170202.html#security-guidelines

Once these webauthn mods are merged-to-master, we need to submit an issue regarding this.

[rlin1]

There could also be a third form: some hash value derived from the public key or some encrypted data. We might want to rephrase the option 1 to include such approach.

[rlin1]

Or do you consider such option being included in 1. already?

[jyasskin]

@equalsJeffH I've added a note referring to those guidelines for now.

@rlin1 I changed item 1 in f1f9a07 to talk about bits of entropy instead of random numbers in order to include hashes.

[equalsJeffH]

s/[=[RP]'s=]/[=[RP]=]/

the user handle is specifically intended to be a RP user account database primary key--i.e., "A user handle is an opaque byte sequence..."--we should be consistently describing it as such.

[jyasskin]

Hm, maybe "user handle for the person who"?

[equalsJeffH]

oh, ok, so we can define "owning authenticator" here:
s/bound to an [=authenticator=]/bound to an <dfn>owning authenticator</dfn>/ -- yes?

[aside: I personally do not like the prevalent use of "own"/"owning"/etc in the computer&network world (it has connotations that do not hold in cyberspace), and would personally prefer to us "managing", though can grit teeth and live with "owning" if no one else cares to join Sisyphus here...]

[jyasskin]

I'm not attached to "owning", and I'd be introducing the first use in this spec. Done.

[equalsJeffH]

s/, including the private key/ (possibly including a private key)/

[jyasskin]

Done.

[equalsJeffH]

overall I like this "public key credential" definintion, thanks for bearing with me :)

I do remain partial, tho, to retaining the opening sentence of "Generically, a credential is data one entity presents to another in order to authenticate the former to the latter [RFC4949].", if that's ok with folks -- i think it appropriately sets the overall context for the reader.

[rlin1]

Not sure I understand this: here public key credential could be equal to a public key credential source. That confuses me.

[rlin1]

OK, got it: The term "public key credential" is used for both, the public key and the assertion.

[equalsJeffH]

perhaps:
s/A webauthn/The term/
s/is either/refers to/
..?

[jyasskin]

Done.

[equalsJeffH]

great, thanks for including the above :)

because revised version LGTM

[rlin1]

Don't think this term (public key credetial source) is a good fit here.
When I look at the def of pk cred source below, this sounds pretty much like the authenticator itself.
But the Credential ID should identify a specific credential, correct?

[rlin1]

I think we should use the term credential for the authentication key (pair).

[rlin1]

The current definition of Credential Public Key also suggests that meaning (IMHO)

[jyasskin]

Note that you were reviewing an old version here.

[rlin1]

would propose 100 bits.

[rlin1]

sounds like authenticator. Is that intentional?

[rlin1]

why credential source here and not credential?

[rlin1]

OK, got it now. Until now I thought we used the term credential for the authentication public/private key (and not for the signature assertion).
Here it seems you want to use the term public key credential for the assertion itself.

[rlin1]

I am quite sure we would have to check all other occurences of public key credential to be in-line with this re-defined meaning.

[rlin1]

This terminology is not aligned with the authenticatorMakeCredential call.
MakeCredential only makes sense if the key pair is the credential.

[rlin1]

I think we should use the term credential for the authentication key pair and assertion for the data we send to the RP.

[rlin1]

There could also be a third form: some hash value derived from the public key or some encrypted data. We might want to rephrase the option 1 to include such approach.

[rlin1]

Or do you consider such option being included in 1. already?

[rlin1]

Not sure I understand this: here public key credential could be equal to a public key credential source. That confuses me.

[rlin1]

OK, got it: The term "public key credential" is used for both, the public key and the assertion.

[equalsJeffH]

LGTM! thanks @jyasskin!