-
Notifications
You must be signed in to change notification settings - Fork 167
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Describe how authenticators unique and find credential sources. #623
Conversation
I think we should use the term Credential for the authentication key pair, i.e. the thing that gets created by authenticatorMakeCredential. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
We are currently using the term credential for the authentication kay pair and assertion for the one-time data sent to and then verified by the RP.
Re-defining credential to refer to the assertion is a BIG change. That would have to cover much more than what is currently covered.
index.bs
Outdated
@@ -324,13 +325,60 @@ The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "S | |||
:: A user agent implementing, in conjunction with the underlying platform, the [=Web Authentication API=] and algorithms | |||
given in this specification, and handling communication between [=authenticators=] and [=[RPS]=]. | |||
|
|||
: <dfn>Credential ID</dfn> | |||
:: A probabilistically-unique [=byte sequence=] identifying a [=public key credential source=]. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
the way we use credential in the spec today suggests that credential actually refers to the authentication key pair and not the authentication assertion.
authenticatorMakeCredential makes a credential i.e. the key pair.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
when ever we mean the assertion we use the term assertion (not credential)
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Credential ID is already defined in the spec at this point. This addition can be deleted at this point.
index.bs
Outdated
|
||
A [=public key credential=] is created by the [=authenticatorGetAssertion=] operation using a [=public key credential | ||
source=] created by a previous [=authenticatorMakeCredential=] call. The [=[RP]=] verifies it using the [=credential public | ||
key=] returned from that [=authenticatorMakeCredential=] call via {{PublicKeyCredential/[[Create]]()}}. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I think this is confusing: when I call Credential.create I would expect to get a credential back - not a credential source.
index.bs
Outdated
@@ -940,7 +977,7 @@ When this method is invoked, the user agent MUST execute the following algorithm | |||
2. Let |value| be a new {{PublicKeyCredential}} associated with |global| whose fields are: | |||
|
|||
: {{PublicKeyCredential/[[identifier]]}} | |||
:: A new {{ArrayBuffer}}, created using |global|'s [=%ArrayBuffer%=], containing the bytes of the credential ID | |||
:: A new {{ArrayBuffer}}, created using |global|'s [=%ArrayBuffer%=], containing the bytes of the [=credential ID=] |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
if we use credential source to refer to the public key/private key, the credential ID should be a credential source ID.
index.bs
Outdated
|
||
On successful completion of this operation, the authenticator returns the [=attestation object=] to the client. | ||
|
||
|
||
### The <dfn>authenticatorGetAssertion</dfn> operation ### {#op-get-assertion} | ||
<h4 id="op-get-assertion" algorithm> The <dfn>authenticatorGetAssertion</dfn> operation</h4> |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
should be renamed to authenticatorGetCredential (if we stick to the redefinition of credential)
index.bs
Outdated
: |hash| | ||
:: The [=hash of the serialized client data=], provided by the client. | ||
: |allowCredentialDescriptorList| | ||
:: An optional list of {{PublicKeyCredentialDescriptor}}s describing credentials acceptable to the [=[RP]=] (possibly filtered |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
would have to be renamed to PublicKeyCrdentialSourceDescriptor describing credential sources acceptable...
index.bs
Outdated
- |selectedCredential|.[=public key credential source/id=] | ||
- |authenticatorData| | ||
- |signature| | ||
- |selectedCredential|.[=public key credential source/userHandle=] | ||
|
||
If the authenticator cannot find any credential corresponding to the specified [=[RP]=] that matches the specified criteria, it |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
would have to be renamed to credential source corresponding ...
index.bs
Outdated
@@ -1845,7 +1943,7 @@ credential. It has the following format: | |||
</tr> | |||
<tr> | |||
<td>L</td> | |||
<td>Credential ID</td> | |||
<td>[=Credential ID=]</td> |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
would have to be renamed to CredentialSource ID
index.bs
Outdated
@@ -3483,10 +3581,10 @@ credential. | |||
|
|||
9. If an assertion was successfully generated and returned, | |||
- The script sends the assertion to the server. | |||
- The server examines the assertion, extracts the credential ID, looks up the registered | |||
- The server examines the assertion, extracts the [=credential ID=], looks up the registered | |||
credential public key it is database, and verifies the assertion's authentication signature. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
would have to be rephrased to ... and verifies the credential's signature
I've replied to @rlin1's comments in #620 (comment), since they're really about that change. |
ef99d3a
to
715a9a3
Compare
This also redefines "Public Key Credential" to be the thing presented to the RP, as a willful violation of RFC4949. Credential ID is defined to explicitly include the possibility that it's the encrypted Credential Source.
This happens to fix a maybe-bug where the authenticator didn't check that a decrypted credential ID came from the right RP. It's also much more precise about the distinction between a credential descriptor and a credential or credential source.
715a9a3
to
50d8d1b
Compare
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This looks OK to me.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Overall, I wonder about this being too prescriptive for authenticators and their implementers. One aspect is that I would venture to guess that such implementers do not commonly use WebIDL and thus wonder whether stipulating algorithms in detail via WebIDL is appropriate for that audience.
Another aspect is wondering whether/how this matches-up with the CTAP spec -- tho it does not have to be an exact match: we are ostensibly being purposely hand-wavy wrt authenticator implementations here in the webauthn spec, e.g., to give platform authnr implementers wiggle-room (i.e., those folks not necessarily depending directly on CTAP).
That said, the additions made here to the authenticatorMakeCredential and authenticatorGetAssertion operations seem correct.
Tho, I have a comment below wrt placement of the formal definition of the proposed credentials map
and the credential id lookup algorithm.
index.bs
Outdated
1. If |credSource|.[=public key credential source/id=] is |credentialId|, return |credSource|. | ||
1. Return `null`. | ||
|
||
</div> |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I suggest we keep all the gory formal definitions and algorithmic stuff down in subsections below this introductory prose.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I agree.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
BTW, I continue to wish to move this algorithm to it's own section. I did not do that as a part of the major merge-from-master catchup, but will do now if there's no objections.
Reviewed: #623 (review) |
bump: @jyasskin: #623 (review) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Looks good overall to me, but I agree with @equalsJeffH on moving the definition of the lookup algorithm.
index.bs
Outdated
1. If |credSource|.[=public key credential source/id=] is |credentialId|, return |credSource|. | ||
1. Return `null`. | ||
|
||
</div> |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I agree.
Am still working on merge-from-master. the portions in "6.2.2. The authenticatorGetAssertion operation" are tricky. more news on the morrow... |
This is ready for re-review. I merged-from-master and believe it is appropriately faithful to @jyasskin's original PR modulo master having evolved since then. |
my issues with this have been addressed.
index.bs
Outdated
|rpId|. | ||
1. If |credentialOptions| is now empty, return an error code equivalent to "{{NotAllowedError}}" and terminate the operation. | ||
|
||
1. If |allowCredentialDescriptorList| was not supplied, set it to a list of all credentials stored for |rpId| (as determined by |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
It looks to me like steps 2-6 and steps 7-9 do the same thing, no? In that case, we should delete steps 7-9 and change |allowCredentialDescriptorList|
to |credentialOptions|
in step 10.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
oops, how embarrassing, me thinks ur correct.
index.bs
Outdated
the [=authenticator=] if it has its own output capability, or by the user agent otherwise. The prompt SHOULD display the | ||
|rpId| and any additional displayable data associated with |selectedCredential|, if possible. | ||
|
||
If |requireUserVerification| is `true`, the method of obtaining [=user consent=] MUST include [=user verification=]. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
The requireUserVerification
parameter is now unused. Is this intentional?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
good catch, thx.
index.bs
Outdated
|
||
If |requireUserVerification| is `true`, the method of obtaining [=user consent=] MUST include [=user verification=]. | ||
|
||
If |requireUserPresence| is `true`, the method of obtaining [=user consent=] MUST include a [=test of user presence=]. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
The requireUserPresence
parameter is now unused. Is this intentional?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
good catch, thx.
index.bs
Outdated
- The [=user handle=] associated with |selectedCredential|, if available. | ||
Return to the user agent: | ||
- |selectedCredential|.[=public key credential source/id=], if either a list of credentials of length 2 or greater was | ||
supplied by the client, or no such list was supplied. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
If my above comment about allowCredentialDescriptorList
is correct, we should reference allowCredentialDescriptorList
(which is then untouched at this point) here and in the Note:
below.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
yep, thx.
- |authenticatorData| | ||
- |signature| | ||
- |selectedCredential|.[=public key credential source/userHandle=] |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
CTAP stores the user handle only for client-side-resident private key credentials, so it seems misleading to imply that it must always be returned (unless we point out at the definition site that the userHandle
field is nullable). See also the client's getAssertion method.
index.bs
Outdated
:: The [=Relying Party Identifier=], for the [=[RP]=] this [=public key credential source=] is associated with. | ||
|
||
: <dfn>userHandle</dfn> | ||
:: The [=user handle=] associated when this [=public key credential source=] was created. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I think we need to point out that this field is nullable.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
ok.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
there's one change I wish to make now that the major merge-from-master catchup is done.
index.bs
Outdated
1. If |credSource|.[=public key credential source/id=] is |credentialId|, return |credSource|. | ||
1. Return `null`. | ||
|
||
</div> |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
BTW, I continue to wish to move this algorithm to it's own section. I did not do that as a part of the major merge-from-master catchup, but will do now if there's no objections.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This looks good to me now. It's clearly an improvement over the existing text.
I'm more confident @emlun's comments are addressed now given the further commits. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thanks @equalsJeffH, this looks good to me except one last thing... :)
index.bs
Outdated
@@ -2351,7 +2396,7 @@ It takes the following input parameters: | |||
: |allowCredentialDescriptorList| | |||
:: An optional [=list=] of {{PublicKeyCredentialDescriptor}}s describing credentials acceptable to the [=[RP]=] (possibly filtered | |||
by the client), if any. | |||
: |requireUserPresence| | |||
: <var ignore>requireUserPresence</var> |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This <var>
is now defined and ignore
d in two places... :)
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
if I remove the ignore here, i get the annoying "only used once" warning.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
If you remove just one, yes, but not if you remove both this one and #623 (comment) .
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
yeah, i was gonna try removing it from both next but was running out door to go sit in traffic....u r of course correct, fixed now in
14335b1
index.bs
Outdated
|
||
If |requireUserVerification| is `true`, the method of obtaining [=user consent=] MUST include [=user verification=]. | ||
|
||
If |requireUserPresence| is `true`, the method of obtaining [=user consent=] MUST include a [=test of user presence=]. | ||
If <var ignore>requireUserPresence</var> is `true`, the method of obtaining [=user consent=] MUST include a |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This <var>
is now defined and ignore
d in two places... :)
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
fixed
just pushed new commit dc50b3f that moves the op-lookup-credsource-by-credid alg to new subsection. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
👍
Given the approvals, I'll merge this later today 5-Feb-2018 in the afternoon PT if there's no objections. thx. |
This PR builds on #620. Just look at the last commit (50d8d1b) to see what's new here. @leshi, @rlin1, @akshayku, you were cc'ed on #602 (comment), which this patch implements.
This happens to fix a maybe-bug where the authenticator didn't check that a
decrypted credential ID came from the right RP.
It's also much more precise about the distinction between a credential
descriptor and a credential or credential source.
This still only improves #578, but it makes it clearer where we'll put that fix.
Preview (#authenticato…) (#op-make-cred) (#op-get-asser…) | Diff