-
Notifications
You must be signed in to change notification settings - Fork 167
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Switch |tokenBindingId| to a structure. #802
Conversation
The existing string was not able to express the ternary nature of token binding for a given connection. See referenced bug for discussion. Fixes w3c#798
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Good catch, LGTM
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Looks good to me save for some small details.
index.bs
Outdated
: {{CollectedClientData/tokenBindingId}} | ||
:: The [=Token Binding ID=] associated with |callerOrigin|, if one is available. | ||
: {{CollectedClientData/tokenBinding}} | ||
:: The status of [=Token Binding=] between the client and the |callerOrigin| as well as the [=Token Binding ID=] associated with |callerOrigin|, if one is available. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Tiny nit: I suggest moving the comma to just before "as well": "The status of [...], as well as the [...] if one is available". So that "if one is available" refers to just the token binding ID instead of the whole structure. You're welcome to ignore this comment if you wish.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Good point. Done.
index.bs
Outdated
: {{CollectedClientData/tokenBindingId}} | ||
:: The [=Token Binding ID=] associated with |callerOrigin|, if one is available. | ||
: {{CollectedClientData/tokenBinding}} | ||
:: The status of [=Token Binding=] between the client and the |callerOrigin| as well as the [=Token Binding ID=] associated with |callerOrigin|, if one is available. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Tiny nit: I suggest moving the comma to just before "as well": "The status of [...], as well as the [...] if one is available". So that "if one is available" refers to just the token binding ID instead of the whole structure. You're welcome to ignore this comment if you wish.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
(Likewise.)
@@ -2930,8 +2937,7 @@ When verifying a given {{PublicKeyCredential}} structure (|credential|) as part | |||
|
|||
1. Verify that the value of <code>|C|.{{CollectedClientData/origin}}</code> matches the [=[RP]=]'s [=origin=]. | |||
|
|||
1. Verify that the value of <code>|C|.{{CollectedClientData/tokenBindingId}}</code> (if present) matches the [=Token Binding ID=] | |||
for the TLS connection over which the signature was obtained. | |||
1. Verify that the value of <code>|C|.{{CollectedClientData/tokenBinding}}.{{TokenBinding/status}}</code> matches the state of [=Token Binding=] for the TLS connection over which the attestation was obtained. If [=Token Binding=] was used on that TLS connection, also verify that <code>|C|.{{CollectedClientData/tokenBinding}}.{{TokenBinding/id}}</code> matches the [=base64url encoding=] of the [=Token Binding ID=] for the connection. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
"signature" has been erroneously changed to "attestation" here, in "for the TLS connection over which the signature was obtained". Perhaps we should change "signature" to "[=assertion=]" while we're at it?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thanks for catching that. Done.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Looks good to me.
thx @emlun for the fine-detail review & suggestions :) |
merge this? |
Yup. |
(I believe the repo is locked and so merges aren't possible, at least for me. However, if anyone has the button to click, I believe this is ready to merge.) |
The existing string was not able to express the ternary nature of token
binding for a given connection. See referenced bug for discussion.
Fixes #798
Preview | Diff