Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Switch |tokenBindingId| to a structure. #802

Merged
merged 2 commits into from
Feb 16, 2018
Merged
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
30 changes: 18 additions & 12 deletions index.bs
Original file line number Diff line number Diff line change
Expand Up @@ -827,8 +827,8 @@ When this method is invoked, the user agent MUST execute the following algorithm
:: The [=base64url encoding=] of |options|.{{PublicKeyCredentialCreationOptions/challenge}}.
: {{CollectedClientData/origin}}
:: The [=ascii serialization of an origin|serialization of=] |callerOrigin|.
: {{CollectedClientData/tokenBindingId}}
:: The [=Token Binding ID=] associated with |callerOrigin|, if one is available.
: {{CollectedClientData/tokenBinding}}
:: The status of [=Token Binding=] between the client and the |callerOrigin|, as well as the [=Token Binding ID=] associated with |callerOrigin|, if one is available.
: {{CollectedClientData/clientExtensions}}
:: |clientExtensions|
: {{CollectedClientData/authenticatorExtensions}}
Expand Down Expand Up @@ -1144,8 +1144,8 @@ When this method is invoked, the user agent MUST execute the following algorithm
:: The [=base64url encoding=] of |options|.{{PublicKeyCredentialRequestOptions/challenge}}
: {{CollectedClientData/origin}}
:: The [=ascii serialization of an origin|serialization of=] |callerOrigin|.
: {{CollectedClientData/tokenBindingId}}
:: The [=Token Binding ID=] associated with |callerOrigin|, if one is available.
: {{CollectedClientData/tokenBinding}}
:: The status of [=Token Binding=] between the client and the |callerOrigin|, as well as the [=Token Binding ID=] associated with |callerOrigin|, if one is available.
: {{CollectedClientData/clientExtensions}}
:: |clientExtensions|
: {{CollectedClientData/authenticatorExtensions}}
Expand Down Expand Up @@ -1926,10 +1926,17 @@ following Web IDL.
required DOMString type;
required DOMString challenge;
required DOMString origin;
DOMString tokenBindingId;
TokenBinding tokenBinding;
AuthenticationExtensionsClientInputs clientExtensions;
AuthenticationExtensionsAuthenticatorInputs authenticatorExtensions;
};

dictionary TokenBinding {
required TokenBindingStatus status;
DOMString id;
};

enum TokenBindingStatus { "present", "supported", "not-supported" };
</pre>

<div dfn-type="dict-member" dfn-for="CollectedClientData">
Expand All @@ -1943,9 +1950,10 @@ following Web IDL.
The <dfn>origin</dfn> member contains the fully qualified [=origin=] of the requester, as provided to the authenticator by
the client, in the syntax defined by [[RFC6454]].

The <dfn>tokenBindingId</dfn> member contains the base64url encoding of the [=Token Binding ID=] that this client uses for
the [=Token Binding=] protocol when communicating with the [=[RP]=]. This can be omitted if no [=Token Binding=] has been
negotiated between the client and the [=[RP]=].
The <dfn>tokenBinding</dfn> member contains information about the state of the [=Token Binding=] protocol used when communicating with the [=[RP]=]. The `status` member is one of:
* `not-supported`: when the client does not support token binding.
* `supported`: the client supports token binding, but it was not negotiated when communicating with the [=[RP]=].
* `present`: token binding was used when communicating with the [=[RP]=]. In this case, the `id` member MUST be present and MUST be a [=base64url encoding=] of the [=Token Binding ID=] that was used.

The OPTIONAL <dfn>clientExtensions</dfn> and <dfn>authenticatorExtensions</dfn> members contain additional parameters
generated by processing the extensions passed in
Expand Down Expand Up @@ -2822,8 +2830,7 @@ When registering a new credential, represented by a {{AuthenticatorAttestationRe

1. Verify that the value of <code>|C|.{{CollectedClientData/origin}}</code> matches the [=[RP]=]'s [=origin=].

1. Verify that the value of <code>|C|.{{CollectedClientData/tokenBindingId}}</code> matches the [=Token Binding ID=] for the TLS
connection over which the attestation was obtained.
1. Verify that the value of <code>|C|.{{CollectedClientData/tokenBinding}}.{{TokenBinding/status}}</code> matches the state of [=Token Binding=] for the TLS connection over which the [=assertion=] was obtained. If [=Token Binding=] was used on that TLS connection, also verify that <code>|C|.{{CollectedClientData/tokenBinding}}.{{TokenBinding/id}}</code> matches the [=base64url encoding=] of the [=Token Binding ID=] for the connection.

1. Verify that the value of <code>|C|.{{CollectedClientData/clientExtensions}}</code> is a subset of the extensions requested by
the RP and that the value of <code>|C|.{{CollectedClientData/authenticatorExtensions}}</code> is also a subset of the
Expand Down Expand Up @@ -2930,8 +2937,7 @@ When verifying a given {{PublicKeyCredential}} structure (|credential|) as part

1. Verify that the value of <code>|C|.{{CollectedClientData/origin}}</code> matches the [=[RP]=]'s [=origin=].

1. Verify that the value of <code>|C|.{{CollectedClientData/tokenBindingId}}</code> (if present) matches the [=Token Binding ID=]
for the TLS connection over which the signature was obtained.
1. Verify that the value of <code>|C|.{{CollectedClientData/tokenBinding}}.{{TokenBinding/status}}</code> matches the state of [=Token Binding=] for the TLS connection over which the attestation was obtained. If [=Token Binding=] was used on that TLS connection, also verify that <code>|C|.{{CollectedClientData/tokenBinding}}.{{TokenBinding/id}}</code> matches the [=base64url encoding=] of the [=Token Binding ID=] for the connection.
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

"signature" has been erroneously changed to "attestation" here, in "for the TLS connection over which the signature was obtained". Perhaps we should change "signature" to "[=assertion=]" while we're at it?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks for catching that. Done.


1. Verify that the value of <code>|C|.{{CollectedClientData/clientExtensions}}</code> is a subset of the extensions requested by
the [=[RP]=] and that the value of <code>|C|.{{CollectedClientData/authenticatorExtensions}}</code> is also a subset of the
Expand Down