Describe how authenticators unique and find credential sources. #623
Conversation
|
I think we should use the term Credential for the authentication key pair, i.e. the thing that gets created by authenticatorMakeCredential. |
There was a problem hiding this comment.
We are currently using the term credential for the authentication kay pair and assertion for the one-time data sent to and then verified by the RP.
Re-defining credential to refer to the assertion is a BIG change. That would have to cover much more than what is currently covered.
index.bs
Outdated
| @@ -324,13 +325,60 @@ The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "S | |||
| :: A user agent implementing, in conjunction with the underlying platform, the [=Web Authentication API=] and algorithms | |||
| given in this specification, and handling communication between [=authenticators=] and [=[RPS]=]. | |||
|
|
|||
| : <dfn>Credential ID</dfn> | |||
| :: A probabilistically-unique [=byte sequence=] identifying a [=public key credential source=]. | |||
There was a problem hiding this comment.
the way we use credential in the spec today suggests that credential actually refers to the authentication key pair and not the authentication assertion.
authenticatorMakeCredential makes a credential i.e. the key pair.
There was a problem hiding this comment.
when ever we mean the assertion we use the term assertion (not credential)
There was a problem hiding this comment.
Credential ID is already defined in the spec at this point. This addition can be deleted at this point.
index.bs
Outdated
|
|
||
| A [=public key credential=] is created by the [=authenticatorGetAssertion=] operation using a [=public key credential | ||
| source=] created by a previous [=authenticatorMakeCredential=] call. The [=[RP]=] verifies it using the [=credential public | ||
| key=] returned from that [=authenticatorMakeCredential=] call via {{PublicKeyCredential/[[Create]]()}}. |
There was a problem hiding this comment.
I think this is confusing: when I call Credential.create I would expect to get a credential back - not a credential source.
index.bs
Outdated
| @@ -940,7 +977,7 @@ When this method is invoked, the user agent MUST execute the following algorithm | |||
| 2. Let |value| be a new {{PublicKeyCredential}} associated with |global| whose fields are: | |||
|
|
|||
| : {{PublicKeyCredential/[[identifier]]}} | |||
| :: A new {{ArrayBuffer}}, created using |global|'s [=%ArrayBuffer%=], containing the bytes of the credential ID | |||
| :: A new {{ArrayBuffer}}, created using |global|'s [=%ArrayBuffer%=], containing the bytes of the [=credential ID=] | |||
There was a problem hiding this comment.
if we use credential source to refer to the public key/private key, the credential ID should be a credential source ID.
index.bs
Outdated
|
|
||
| On successful completion of this operation, the authenticator returns the [=attestation object=] to the client. | ||
|
|
||
|
|
||
| ### The <dfn>authenticatorGetAssertion</dfn> operation ### {#op-get-assertion} | ||
| <h4 id="op-get-assertion" algorithm> The <dfn>authenticatorGetAssertion</dfn> operation</h4> |
There was a problem hiding this comment.
should be renamed to authenticatorGetCredential (if we stick to the redefinition of credential)
index.bs
Outdated
| : |hash| | ||
| :: The [=hash of the serialized client data=], provided by the client. | ||
| : |allowCredentialDescriptorList| | ||
| :: An optional list of {{PublicKeyCredentialDescriptor}}s describing credentials acceptable to the [=[RP]=] (possibly filtered |
There was a problem hiding this comment.
would have to be renamed to PublicKeyCrdentialSourceDescriptor describing credential sources acceptable...
index.bs
Outdated
| - |selectedCredential|.[=public key credential source/id=] | ||
| - |authenticatorData| | ||
| - |signature| | ||
| - |selectedCredential|.[=public key credential source/userHandle=] | ||
|
|
||
| If the authenticator cannot find any credential corresponding to the specified [=[RP]=] that matches the specified criteria, it |
There was a problem hiding this comment.
would have to be renamed to credential source corresponding ...
index.bs
Outdated
| @@ -1845,7 +1943,7 @@ credential. It has the following format: | |||
| </tr> | |||
| <tr> | |||
| <td>L</td> | |||
| <td>Credential ID</td> | |||
| <td>[=Credential ID=]</td> | |||
There was a problem hiding this comment.
would have to be renamed to CredentialSource ID
index.bs
Outdated
| @@ -3483,10 +3581,10 @@ credential. | |||
|
|
|||
| 9. If an assertion was successfully generated and returned, | |||
| - The script sends the assertion to the server. | |||
| - The server examines the assertion, extracts the credential ID, looks up the registered | |||
| - The server examines the assertion, extracts the [=credential ID=], looks up the registered | |||
| credential public key it is database, and verifies the assertion's authentication signature. | |||
There was a problem hiding this comment.
would have to be rephrased to ... and verifies the credential's signature
|
I've replied to @rlin1's comments in #620 (comment), since they're really about that change. |
jyasskin
force-pushed
the
put-credentials-in-a-map
branch
from
ef99d3a
to
715a9a3
Compare
This also redefines "Public Key Credential" to be the thing presented to the RP, as a willful violation of RFC4949. Credential ID is defined to explicitly include the possibility that it's the encrypted Credential Source.
This happens to fix a maybe-bug where the authenticator didn't check that a decrypted credential ID came from the right RP. It's also much more precise about the distinction between a credential descriptor and a credential or credential source.
jyasskin
force-pushed
the
put-credentials-in-a-map
branch
from
715a9a3
to
50d8d1b
Compare
There was a problem hiding this comment.
Overall, I wonder about this being too prescriptive for authenticators and their implementers. One aspect is that I would venture to guess that such implementers do not commonly use WebIDL and thus wonder whether stipulating algorithms in detail via WebIDL is appropriate for that audience.
Another aspect is wondering whether/how this matches-up with the CTAP spec -- tho it does not have to be an exact match: we are ostensibly being purposely hand-wavy wrt authenticator implementations here in the webauthn spec, e.g., to give platform authnr implementers wiggle-room (i.e., those folks not necessarily depending directly on CTAP).
That said, the additions made here to the authenticatorMakeCredential and authenticatorGetAssertion operations seem correct.
Tho, I have a comment below wrt placement of the formal definition of the proposed credentials map and the credential id lookup algorithm.
index.bs
Outdated
| 1. If |credSource|.[=public key credential source/id=] is |credentialId|, return |credSource|. | ||
| 1. Return `null`. | ||
|
|
||
| </div> |
There was a problem hiding this comment.
I suggest we keep all the gory formal definitions and algorithmic stuff down in subsections below this introductory prose.
There was a problem hiding this comment.
BTW, I continue to wish to move this algorithm to it's own section. I did not do that as a part of the major merge-from-master catchup, but will do now if there's no objections.
|
Reviewed: #623 (review) |
|
bump: @jyasskin: #623 (review) |
There was a problem hiding this comment.
Looks good overall to me, but I agree with @equalsJeffH on moving the definition of the lookup algorithm.
index.bs
Outdated
| 1. If |credSource|.[=public key credential source/id=] is |credentialId|, return |credSource|. | ||
| 1. Return `null`. | ||
|
|
||
| </div> |
|
Am still working on merge-from-master. the portions in "6.2.2. The authenticatorGetAssertion operation" are tricky. more news on the morrow... |
|
This is ready for re-review. I merged-from-master and believe it is appropriately faithful to @jyasskin's original PR modulo master having evolved since then. |
equalsJeffH
dismissed
their stale review
my issues with this have been addressed.
index.bs
Outdated
| |rpId|. | ||
| 1. If |credentialOptions| is now empty, return an error code equivalent to "{{NotAllowedError}}" and terminate the operation. | ||
|
|
||
| 1. If |allowCredentialDescriptorList| was not supplied, set it to a list of all credentials stored for |rpId| (as determined by |
There was a problem hiding this comment.
It looks to me like steps 2-6 and steps 7-9 do the same thing, no? In that case, we should delete steps 7-9 and change |allowCredentialDescriptorList| to |credentialOptions| in step 10.
There was a problem hiding this comment.
oops, how embarrassing, me thinks ur correct.
index.bs
Outdated
| the [=authenticator=] if it has its own output capability, or by the user agent otherwise. The prompt SHOULD display the | ||
| |rpId| and any additional displayable data associated with |selectedCredential|, if possible. | ||
|
|
||
| If |requireUserVerification| is `true`, the method of obtaining [=user consent=] MUST include [=user verification=]. |
There was a problem hiding this comment.
The requireUserVerification parameter is now unused. Is this intentional?
index.bs
Outdated
|
|
||
| If |requireUserVerification| is `true`, the method of obtaining [=user consent=] MUST include [=user verification=]. | ||
|
|
||
| If |requireUserPresence| is `true`, the method of obtaining [=user consent=] MUST include a [=test of user presence=]. |
There was a problem hiding this comment.
The requireUserPresence parameter is now unused. Is this intentional?
index.bs
Outdated
| - The [=user handle=] associated with |selectedCredential|, if available. | ||
| Return to the user agent: | ||
| - |selectedCredential|.[=public key credential source/id=], if either a list of credentials of length 2 or greater was | ||
| supplied by the client, or no such list was supplied. |
There was a problem hiding this comment.
If my above comment about allowCredentialDescriptorList is correct, we should reference allowCredentialDescriptorList (which is then untouched at this point) here and in the Note: below.
| - |authenticatorData| | ||
| - |signature| | ||
| - |selectedCredential|.[=public key credential source/userHandle=] |
There was a problem hiding this comment.
CTAP stores the user handle only for client-side-resident private key credentials, so it seems misleading to imply that it must always be returned (unless we point out at the definition site that the userHandle field is nullable). See also the client's getAssertion method.
index.bs
Outdated
| :: The [=Relying Party Identifier=], for the [=[RP]=] this [=public key credential source=] is associated with. | ||
|
|
||
| : <dfn>userHandle</dfn> | ||
| :: The [=user handle=] associated when this [=public key credential source=] was created. |
There was a problem hiding this comment.
I think we need to point out that this field is nullable.
index.bs
Outdated
| 1. If |credSource|.[=public key credential source/id=] is |credentialId|, return |credSource|. | ||
| 1. Return `null`. | ||
|
|
||
| </div> |
There was a problem hiding this comment.
BTW, I continue to wish to move this algorithm to it's own section. I did not do that as a part of the major merge-from-master catchup, but will do now if there's no objections.
|
I'm more confident @emlun's comments are addressed now given the further commits. |
There was a problem hiding this comment.
Thanks @equalsJeffH, this looks good to me except one last thing... :)
index.bs
Outdated
| @@ -2351,7 +2396,7 @@ It takes the following input parameters: | |||
| : |allowCredentialDescriptorList| | |||
| :: An optional [=list=] of {{PublicKeyCredentialDescriptor}}s describing credentials acceptable to the [=[RP]=] (possibly filtered | |||
| by the client), if any. | |||
| : |requireUserPresence| | |||
| : <var ignore>requireUserPresence</var> | |||
There was a problem hiding this comment.
This <var> is now defined and ignored in two places... :)
There was a problem hiding this comment.
if I remove the ignore here, i get the annoying "only used once" warning.
There was a problem hiding this comment.
If you remove just one, yes, but not if you remove both this one and #623 (comment) .
There was a problem hiding this comment.
yeah, i was gonna try removing it from both next but was running out door to go sit in traffic....u r of course correct, fixed now in
14335b1
index.bs
Outdated
|
|
||
| If |requireUserVerification| is `true`, the method of obtaining [=user consent=] MUST include [=user verification=]. | ||
|
|
||
| If |requireUserPresence| is `true`, the method of obtaining [=user consent=] MUST include a [=test of user presence=]. | ||
| If <var ignore>requireUserPresence</var> is `true`, the method of obtaining [=user consent=] MUST include a |
There was a problem hiding this comment.
This <var> is now defined and ignored in two places... :)
|
just pushed new commit dc50b3f that moves the op-lookup-credsource-by-credid alg to new subsection. |
|
Given the approvals, I'll merge this later today 5-Feb-2018 in the afternoon PT if there's no objections. thx. |
This PR builds on #620. Just look at the last commit (50d8d1b) to see what's new here. @leshi, @rlin1, @akshayku, you were cc'ed on #602 (comment), which this patch implements.
This happens to fix a maybe-bug where the authenticator didn't check that a
decrypted credential ID came from the right RP.
It's also much more precise about the distinction between a credential
descriptor and a credential or credential source.
This still only improves #578, but it makes it clearer where we'll put that fix.
Preview (#authenticato…) (#op-make-cred) (#op-get-asser…) | Diff