From bb4403af72a81941478d14ed8e506103629f3181 Mon Sep 17 00:00:00 2001 From: Shane Weeden <sbweeden@users.noreply.github.com> Date: Thu, 3 Oct 2024 01:59:26 +0000 Subject: [PATCH] Merge pull request #2159 from w3c/issue-2121-rp-name SHA: 1e2256dae3c7f0dedc2f87ff66494c6b3f274518 Reason: push, by sbweeden Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com> --- index.html | 745 +++++++++++++++++++++++++++-------------------------- 1 file changed, 374 insertions(+), 371 deletions(-) diff --git a/index.html b/index.html index 8f9c7d16d..4c8f6a223 100644 --- a/index.html +++ b/index.html @@ -6,7 +6,7 @@ <meta content="ED" name="w3c-status"> <meta content="Bikeshed version 6270e4735, updated Tue Aug 6 12:12:30 2024 -0700" name="generator"> <link href="https://www.w3.org/TR/webauthn-3/" rel="canonical"> - <meta content="5831a2c9b2cc7765a24309f14db027a6f1bffa65" name="revision"> + <meta content="1e2256dae3c7f0dedc2f87ff66494c6b3f274518" name="revision"> <meta content="dark light" name="color-scheme"> <style type="text/css"> body { @@ -965,7 +965,7 @@ <div class="head"> <p data-fill-with="logo"><a class="logo" href="https://www.w3.org/"> <img alt="W3C" height="48" src="https://www.w3.org/StyleSheets/TR/2021/logos/W3C" width="72"> </a> </p> <h1>Web Authentication:<br>An API for accessing Public Key Credentials<br>Level 3</h1> - <p id="w3c-state"><a href="https://www.w3.org/standards/types#ED">Editor’s Draft</a>, <time class="dt-updated" datetime="2024-10-02">2 October 2024</time></p> + <p id="w3c-state"><a href="https://www.w3.org/standards/types#ED">Editor’s Draft</a>, <time class="dt-updated" datetime="2024-10-03">3 October 2024</time></p> <details open> <summary>More details about this document</summary> <div data-fill-with="spec-metadata"> @@ -4222,47 +4222,50 @@ <h4 class="heading settled" data-level="5.4.1" id="dictionary-pkcredentialentity <p>A <a data-link-type="dfn" href="#human-palatability" id="ref-for-human-palatability②">human-palatable</a> name for the entity. Its function depends on what the <code class="idl"><a data-link-type="idl" href="#dictdef-publickeycredentialentity" id="ref-for-dictdef-publickeycredentialentity②">PublicKeyCredentialEntity</a></code> represents:</p> <ul> <li data-md> - <p>When inherited by <code class="idl"><a data-link-type="idl" href="#dictdef-publickeycredentialrpentity" id="ref-for-dictdef-publickeycredentialrpentity③">PublicKeyCredentialRpEntity</a></code> it is a <a data-link-type="dfn" href="#human-palatability" id="ref-for-human-palatability③">human-palatable</a> identifier for the <a data-link-type="dfn" href="#relying-party" id="ref-for-relying-party①③③">Relying Party</a>, intended only + <p>[DEPRECATED] When inherited by <code class="idl"><a data-link-type="idl" href="#dictdef-publickeycredentialrpentity" id="ref-for-dictdef-publickeycredentialrpentity③">PublicKeyCredentialRpEntity</a></code> it is a <a data-link-type="dfn" href="#human-palatability" id="ref-for-human-palatability③">human-palatable</a> identifier for the <a data-link-type="dfn" href="#relying-party" id="ref-for-relying-party①③③">Relying Party</a>, intended only for display. For example, "ACME Corporation", "Wonderful Widgets, Inc." or "ОАО Примертех".</p> + <p>This member is deprecated because many <a data-link-type="dfn" href="#client" id="ref-for-client⑤⓪">clients</a> do not display it, +but it remains a required dictionary member for backwards compatibility. <a data-link-type="dfn" href="#relying-party" id="ref-for-relying-party①③④">Relying Parties</a> MAY, as a safe default, set this equal to the <a data-link-type="dfn" href="#rp-id" id="ref-for-rp-id②④">RP ID</a>.</p> <ul> <li data-md> - <p><a data-link-type="dfn" href="#relying-party" id="ref-for-relying-party①③④">Relying Parties</a> SHOULD perform enforcement, as prescribed in Section 2.3 of <a data-link-type="biblio" href="#biblio-rfc8266" title="Preparation, Enforcement, and Comparison of Internationalized Strings Representing Nicknames">[RFC8266]</a> for the Nickname Profile of the PRECIS FreeformClass <a data-link-type="biblio" href="#biblio-rfc8264" title="PRECIS Framework: Preparation, Enforcement, and Comparison of Internationalized Strings in Application Protocols">[RFC8264]</a>, + <p><a data-link-type="dfn" href="#relying-party" id="ref-for-relying-party①③⑤">Relying Parties</a> SHOULD perform enforcement, as prescribed in Section 2.3 of <a data-link-type="biblio" href="#biblio-rfc8266" title="Preparation, Enforcement, and Comparison of Internationalized Strings Representing Nicknames">[RFC8266]</a> for the Nickname Profile of the PRECIS FreeformClass <a data-link-type="biblio" href="#biblio-rfc8264" title="PRECIS Framework: Preparation, Enforcement, and Comparison of Internationalized Strings in Application Protocols">[RFC8264]</a>, when setting <code class="idl"><a data-link-type="idl" href="#dom-publickeycredentialentity-name" id="ref-for-dom-publickeycredentialentity-name⑥">name</a></code>'s value, or displaying the value to the user.</p> <li data-md> - <p>This string MAY contain language and direction metadata. <a data-link-type="dfn" href="#relying-party" id="ref-for-relying-party①③⑤">Relying Parties</a> SHOULD consider providing this information. See <a href="#sctn-strings-langdir">§ 6.4.2 Language and Direction Encoding</a> about how this metadata is encoded.</p> + <p>This string MAY contain language and direction metadata. <a data-link-type="dfn" href="#relying-party" id="ref-for-relying-party①③⑥">Relying Parties</a> SHOULD consider providing this information if setting the member to a value other than the <a data-link-type="dfn" href="#rp-id" id="ref-for-rp-id②⑤">RP ID</a>. +See <a href="#sctn-strings-langdir">§ 6.4.2 Language and Direction Encoding</a> about how this metadata is encoded.</p> <li data-md> - <p><a data-link-type="dfn" href="#client" id="ref-for-client⑤⓪">Clients</a> SHOULD perform enforcement, as prescribed in Section 2.3 of <a data-link-type="biblio" href="#biblio-rfc8266" title="Preparation, Enforcement, and Comparison of Internationalized Strings Representing Nicknames">[RFC8266]</a> for the Nickname Profile of the PRECIS FreeformClass <a data-link-type="biblio" href="#biblio-rfc8264" title="PRECIS Framework: Preparation, Enforcement, and Comparison of Internationalized Strings in Application Protocols">[RFC8264]</a>, + <p><a data-link-type="dfn" href="#client" id="ref-for-client⑤①">Clients</a> SHOULD perform enforcement, as prescribed in Section 2.3 of <a data-link-type="biblio" href="#biblio-rfc8266" title="Preparation, Enforcement, and Comparison of Internationalized Strings Representing Nicknames">[RFC8266]</a> for the Nickname Profile of the PRECIS FreeformClass <a data-link-type="biblio" href="#biblio-rfc8264" title="PRECIS Framework: Preparation, Enforcement, and Comparison of Internationalized Strings in Application Protocols">[RFC8264]</a>, on <code class="idl"><a data-link-type="idl" href="#dom-publickeycredentialentity-name" id="ref-for-dom-publickeycredentialentity-name⑦">name</a></code>'s value prior to displaying the value to the user or including the value as a parameter of the <a data-link-type="dfn" href="#authenticatormakecredential" id="ref-for-authenticatormakecredential⑦">authenticatorMakeCredential</a> operation.</p> </ul> <li data-md> <p>When inherited by <code class="idl"><a data-link-type="idl" href="#dictdef-publickeycredentialuserentity" id="ref-for-dictdef-publickeycredentialuserentity②">PublicKeyCredentialUserEntity</a></code>, it is a <a data-link-type="dfn" href="#human-palatability" id="ref-for-human-palatability④">human-palatable</a> identifier for a <a data-link-type="dfn" href="#user-account" id="ref-for-user-account①⑦">user account</a>. This -identifier is the primary value displayed to users by <a data-link-type="dfn" href="#client" id="ref-for-client⑤①">Clients</a> to help users +identifier is the primary value displayed to users by <a data-link-type="dfn" href="#client" id="ref-for-client⑤②">Clients</a> to help users understand with which <a data-link-type="dfn" href="#user-account" id="ref-for-user-account①⑧">user account</a> a credential is associated.</p> <p>Examples of suitable values for this identifier include, "alexm", "+14255551234", "alex.mueller@example.com", "alex.mueller@example.com (prod-env)", or "alex.mueller@example.com (ОАО Примертех)".</p> <ul> <li data-md> - <p>The <a data-link-type="dfn" href="#relying-party" id="ref-for-relying-party①③⑥">Relying Party</a> MAY let the user choose this value. The <a data-link-type="dfn" href="#relying-party" id="ref-for-relying-party①③⑦">Relying Party</a> SHOULD perform enforcement, + <p>The <a data-link-type="dfn" href="#relying-party" id="ref-for-relying-party①③⑦">Relying Party</a> MAY let the user choose this value. The <a data-link-type="dfn" href="#relying-party" id="ref-for-relying-party①③⑧">Relying Party</a> SHOULD perform enforcement, as prescribed in Section 3.4.3 of <a data-link-type="biblio" href="#biblio-rfc8265" title="Preparation, Enforcement, and Comparison of Internationalized Strings Representing Usernames and Passwords">[RFC8265]</a> for the UsernameCasePreserved Profile of the PRECIS IdentifierClass <a data-link-type="biblio" href="#biblio-rfc8264" title="PRECIS Framework: Preparation, Enforcement, and Comparison of Internationalized Strings in Application Protocols">[RFC8264]</a>, when setting <code class="idl"><a data-link-type="idl" href="#dom-publickeycredentialentity-name" id="ref-for-dom-publickeycredentialentity-name⑧">name</a></code>'s value, or displaying the value to the user.</p> <li data-md> - <p>This string MAY contain language and direction metadata. <a data-link-type="dfn" href="#relying-party" id="ref-for-relying-party①③⑧">Relying Parties</a> SHOULD consider providing this information. See <a href="#sctn-strings-langdir">§ 6.4.2 Language and Direction Encoding</a> about how this metadata is encoded.</p> + <p>This string MAY contain language and direction metadata. <a data-link-type="dfn" href="#relying-party" id="ref-for-relying-party①③⑨">Relying Parties</a> SHOULD consider providing this information. See <a href="#sctn-strings-langdir">§ 6.4.2 Language and Direction Encoding</a> about how this metadata is encoded.</p> <li data-md> - <p><a data-link-type="dfn" href="#client" id="ref-for-client⑤②">Clients</a> SHOULD perform enforcement, as prescribed in Section 3.4.3 of <a data-link-type="biblio" href="#biblio-rfc8265" title="Preparation, Enforcement, and Comparison of Internationalized Strings Representing Usernames and Passwords">[RFC8265]</a> for the UsernameCasePreserved Profile of the PRECIS IdentifierClass <a data-link-type="biblio" href="#biblio-rfc8264" title="PRECIS Framework: Preparation, Enforcement, and Comparison of Internationalized Strings in Application Protocols">[RFC8264]</a>, + <p><a data-link-type="dfn" href="#client" id="ref-for-client⑤③">Clients</a> SHOULD perform enforcement, as prescribed in Section 3.4.3 of <a data-link-type="biblio" href="#biblio-rfc8265" title="Preparation, Enforcement, and Comparison of Internationalized Strings Representing Usernames and Passwords">[RFC8265]</a> for the UsernameCasePreserved Profile of the PRECIS IdentifierClass <a data-link-type="biblio" href="#biblio-rfc8264" title="PRECIS Framework: Preparation, Enforcement, and Comparison of Internationalized Strings in Application Protocols">[RFC8264]</a>, on <code class="idl"><a data-link-type="idl" href="#dom-publickeycredentialentity-name" id="ref-for-dom-publickeycredentialentity-name⑨">name</a></code>'s value prior to displaying the value to the user or including the value as a parameter of the <a data-link-type="dfn" href="#authenticatormakecredential" id="ref-for-authenticatormakecredential⑧">authenticatorMakeCredential</a> operation.</p> </ul> </ul> - <p>When <a data-link-type="dfn" href="#client" id="ref-for-client⑤③">clients</a>, <a data-link-type="dfn" href="#client-platform" id="ref-for-client-platform③⑥">client platforms</a>, or <a data-link-type="dfn" href="#authenticator" id="ref-for-authenticator①②⑥">authenticators</a> display a <code class="idl"><a data-link-type="idl" href="#dom-publickeycredentialentity-name" id="ref-for-dom-publickeycredentialentity-name①⓪">name</a></code>'s value, they should always use UI elements to provide a clear boundary around the displayed value, and not allow overflow into other elements <a data-link-type="biblio" href="#biblio-css-overflow-3" title="CSS Overflow Module Level 3">[css-overflow-3]</a>.</p> + <p>When <a data-link-type="dfn" href="#client" id="ref-for-client⑤④">clients</a>, <a data-link-type="dfn" href="#client-platform" id="ref-for-client-platform③⑥">client platforms</a>, or <a data-link-type="dfn" href="#authenticator" id="ref-for-authenticator①②⑥">authenticators</a> display a <code class="idl"><a data-link-type="idl" href="#dom-publickeycredentialentity-name" id="ref-for-dom-publickeycredentialentity-name①⓪">name</a></code>'s value, they should always use UI elements to provide a clear boundary around the displayed value, and not allow overflow into other elements <a data-link-type="biblio" href="#biblio-css-overflow-3" title="CSS Overflow Module Level 3">[css-overflow-3]</a>.</p> <p>When storing a <code class="idl"><a data-link-type="idl" href="#dom-publickeycredentialentity-name" id="ref-for-dom-publickeycredentialentity-name①①">name</a></code> member’s value, the value MAY be truncated as described in <a href="#sctn-strings-truncation">§ 6.4.1 String Truncation</a> using a size limit greater than or equal to 64 bytes.</p> </dl> </div> <h4 class="heading settled" data-level="5.4.2" id="dictionary-rp-credential-params"><span class="secno">5.4.2. </span><span class="content">Relying Party Parameters for Credential Generation (dictionary <dfn class="dfn-paneled idl-code" data-dfn-type="dictionary" data-export id="dictdef-publickeycredentialrpentity"><code>PublicKeyCredentialRpEntity</code></dfn>)</span><a class="self-link" href="#dictionary-rp-credential-params"></a></h4> - <p>The <code class="idl"><a data-link-type="idl" href="#dictdef-publickeycredentialrpentity" id="ref-for-dictdef-publickeycredentialrpentity④">PublicKeyCredentialRpEntity</a></code> dictionary is used to supply additional <a data-link-type="dfn" href="#relying-party" id="ref-for-relying-party①③⑨">Relying Party</a> attributes when creating a new credential.</p> + <p>The <code class="idl"><a data-link-type="idl" href="#dictdef-publickeycredentialrpentity" id="ref-for-dictdef-publickeycredentialrpentity④">PublicKeyCredentialRpEntity</a></code> dictionary is used to supply additional <a data-link-type="dfn" href="#relying-party" id="ref-for-relying-party①④⓪">Relying Party</a> attributes when creating a new credential.</p> <pre class="idl highlight def"><c- b>dictionary</c-> <a class="idl-code" data-link-type="dictionary" href="#dictdef-publickeycredentialrpentity" id="ref-for-dictdef-publickeycredentialrpentity⑤"><c- g>PublicKeyCredentialRpEntity</c-></a> : <a data-link-type="idl-name" href="#dictdef-publickeycredentialentity" id="ref-for-dictdef-publickeycredentialentity③"><c- n>PublicKeyCredentialEntity</c-></a> { <a class="idl-code" data-link-type="interface" href="https://webidl.spec.whatwg.org/#idl-DOMString" id="ref-for-idl-DOMString④⑤"><c- b>DOMString</c-></a> <a class="idl-code" data-link-type="dict-member" data-type="DOMString" href="#dom-publickeycredentialrpentity-id" id="ref-for-dom-publickeycredentialrpentity-id①②"><c- g>id</c-></a>; }; @@ -4271,7 +4274,7 @@ <h4 class="heading settled" data-level="5.4.2" id="dictionary-rp-credential-para <dl> <dt data-md><dfn class="dfn-paneled idl-code" data-dfn-for="PublicKeyCredentialRpEntity" data-dfn-type="dict-member" data-export id="dom-publickeycredentialrpentity-id"><code>id</code></dfn>, <span> of type <a data-link-type="idl-name" href="https://webidl.spec.whatwg.org/#idl-DOMString" id="ref-for-idl-DOMString④⑥">DOMString</a></span> <dd data-md> - <p>A unique identifier for the <a data-link-type="dfn" href="#relying-party" id="ref-for-relying-party①④⓪">Relying Party</a> entity, which sets the <a data-link-type="dfn" href="#rp-id" id="ref-for-rp-id②④">RP ID</a>.</p> + <p>A unique identifier for the <a data-link-type="dfn" href="#relying-party" id="ref-for-relying-party①④①">Relying Party</a> entity, which sets the <a data-link-type="dfn" href="#rp-id" id="ref-for-rp-id②⑥">RP ID</a>.</p> </dl> </div> <h4 class="heading settled" data-level="5.4.3" id="dictionary-user-credential-params"><span class="secno">5.4.3. </span><span class="content">User Account Parameters for Credential Generation (dictionary <dfn class="dfn-paneled idl-code" data-dfn-type="dictionary" data-export id="dictdef-publickeycredentialuserentity"><code>PublicKeyCredentialUserEntity</code></dfn>)</span><a class="self-link" href="#dictionary-user-credential-params"></a></h4> @@ -4296,27 +4299,27 @@ <h4 class="heading settled" data-level="5.4.3" id="dictionary-user-credential-pa <p class="note" role="note"><span class="marker">Note:</span> the <a data-link-type="dfn" href="#user-handle" id="ref-for-user-handle①⑧">user handle</a> <i>ought not</i> be a constant value across different <a data-link-type="dfn" href="#user-account" id="ref-for-user-account②①">user accounts</a>, even for <a data-link-type="dfn" href="#non-discoverable-credential" id="ref-for-non-discoverable-credential③">non-discoverable credentials</a>, because some authenticators always create <a data-link-type="dfn" href="#discoverable-credential" id="ref-for-discoverable-credential⑦">discoverable credentials</a>. Thus a constant <a data-link-type="dfn" href="#user-handle" id="ref-for-user-handle①⑨">user handle</a> would prevent a user from using such an authenticator -with more than one <a data-link-type="dfn" href="#user-account" id="ref-for-user-account②②">user account</a> at the <a data-link-type="dfn" href="#relying-party" id="ref-for-relying-party①④①">Relying Party</a>.</p> +with more than one <a data-link-type="dfn" href="#user-account" id="ref-for-user-account②②">user account</a> at the <a data-link-type="dfn" href="#relying-party" id="ref-for-relying-party①④②">Relying Party</a>.</p> <dt data-md><dfn class="dfn-paneled idl-code" data-dfn-for="PublicKeyCredentialUserEntity" data-dfn-type="dict-member" data-export id="dom-publickeycredentialuserentity-displayname"><code>displayName</code></dfn>, <span> of type <a data-link-type="idl-name" href="https://webidl.spec.whatwg.org/#idl-DOMString" id="ref-for-idl-DOMString④⑧">DOMString</a></span> <dd data-md> <p>A <a data-link-type="dfn" href="#human-palatability" id="ref-for-human-palatability⑤">human-palatable</a> name for the <a data-link-type="dfn" href="#user-account" id="ref-for-user-account②③">user account</a>, intended only for -display. The <a data-link-type="dfn" href="#relying-party" id="ref-for-relying-party①④②">Relying Party</a> SHOULD let the user choose this, and SHOULD NOT restrict the choice +display. The <a data-link-type="dfn" href="#relying-party" id="ref-for-relying-party①④③">Relying Party</a> SHOULD let the user choose this, and SHOULD NOT restrict the choice more than necessary. If no suitable or <a data-link-type="dfn" href="#human-palatability" id="ref-for-human-palatability⑥">human-palatable</a> name is -available, the <a data-link-type="dfn" href="#relying-party" id="ref-for-relying-party①④③">Relying Party</a> SHOULD set this value to an empty string.</p> +available, the <a data-link-type="dfn" href="#relying-party" id="ref-for-relying-party①④④">Relying Party</a> SHOULD set this value to an empty string.</p> <p>Examples of suitable values for this identifier include, "Alex Müller", "Alex Müller (ACME Co.)" or "田中倫".</p> <ul> <li data-md> - <p><a data-link-type="dfn" href="#relying-party" id="ref-for-relying-party①④④">Relying Parties</a> SHOULD perform enforcement, as prescribed in Section 2.3 of <a data-link-type="biblio" href="#biblio-rfc8266" title="Preparation, Enforcement, and Comparison of Internationalized Strings Representing Nicknames">[RFC8266]</a> for the Nickname Profile of the PRECIS FreeformClass <a data-link-type="biblio" href="#biblio-rfc8264" title="PRECIS Framework: Preparation, Enforcement, and Comparison of Internationalized Strings in Application Protocols">[RFC8264]</a>, + <p><a data-link-type="dfn" href="#relying-party" id="ref-for-relying-party①④⑤">Relying Parties</a> SHOULD perform enforcement, as prescribed in Section 2.3 of <a data-link-type="biblio" href="#biblio-rfc8266" title="Preparation, Enforcement, and Comparison of Internationalized Strings Representing Nicknames">[RFC8266]</a> for the Nickname Profile of the PRECIS FreeformClass <a data-link-type="biblio" href="#biblio-rfc8264" title="PRECIS Framework: Preparation, Enforcement, and Comparison of Internationalized Strings in Application Protocols">[RFC8264]</a>, when setting <code class="idl"><a data-link-type="idl" href="#dom-publickeycredentialuserentity-displayname" id="ref-for-dom-publickeycredentialuserentity-displayname⑦">displayName</a></code>'s value to a non-empty string, or displaying a non-empty value to the user.</p> <li data-md> - <p>This string MAY contain language and direction metadata. <a data-link-type="dfn" href="#relying-party" id="ref-for-relying-party①④⑤">Relying Parties</a> SHOULD consider providing this information. See <a href="#sctn-strings-langdir">§ 6.4.2 Language and Direction Encoding</a> about how this metadata is encoded.</p> + <p>This string MAY contain language and direction metadata. <a data-link-type="dfn" href="#relying-party" id="ref-for-relying-party①④⑥">Relying Parties</a> SHOULD consider providing this information. See <a href="#sctn-strings-langdir">§ 6.4.2 Language and Direction Encoding</a> about how this metadata is encoded.</p> <li data-md> - <p><a data-link-type="dfn" href="#client" id="ref-for-client⑤④">Clients</a> SHOULD perform enforcement, as prescribed in Section 2.3 of <a data-link-type="biblio" href="#biblio-rfc8266" title="Preparation, Enforcement, and Comparison of Internationalized Strings Representing Nicknames">[RFC8266]</a> for the Nickname Profile of the PRECIS FreeformClass <a data-link-type="biblio" href="#biblio-rfc8264" title="PRECIS Framework: Preparation, Enforcement, and Comparison of Internationalized Strings in Application Protocols">[RFC8264]</a>, + <p><a data-link-type="dfn" href="#client" id="ref-for-client⑤⑤">Clients</a> SHOULD perform enforcement, as prescribed in Section 2.3 of <a data-link-type="biblio" href="#biblio-rfc8266" title="Preparation, Enforcement, and Comparison of Internationalized Strings Representing Nicknames">[RFC8266]</a> for the Nickname Profile of the PRECIS FreeformClass <a data-link-type="biblio" href="#biblio-rfc8264" title="PRECIS Framework: Preparation, Enforcement, and Comparison of Internationalized Strings in Application Protocols">[RFC8264]</a>, on <code class="idl"><a data-link-type="idl" href="#dom-publickeycredentialuserentity-displayname" id="ref-for-dom-publickeycredentialuserentity-displayname⑧">displayName</a></code>'s value prior to displaying a non-empty value to the user or including a non-empty value as a parameter of the <a data-link-type="dfn" href="#authenticatormakecredential" id="ref-for-authenticatormakecredential⑨">authenticatorMakeCredential</a> operation.</p> </ul> - <p>When <a data-link-type="dfn" href="#client" id="ref-for-client⑤⑤">clients</a>, <a data-link-type="dfn" href="#client-platform" id="ref-for-client-platform③⑦">client platforms</a>, or <a data-link-type="dfn" href="#authenticator" id="ref-for-authenticator①②⑦">authenticators</a> display a <code class="idl"><a data-link-type="idl" href="#dom-publickeycredentialuserentity-displayname" id="ref-for-dom-publickeycredentialuserentity-displayname⑨">displayName</a></code>'s value, they should always use UI elements to provide a clear boundary around the displayed value, and not allow overflow into other elements <a data-link-type="biblio" href="#biblio-css-overflow-3" title="CSS Overflow Module Level 3">[css-overflow-3]</a>.</p> + <p>When <a data-link-type="dfn" href="#client" id="ref-for-client⑤⑥">clients</a>, <a data-link-type="dfn" href="#client-platform" id="ref-for-client-platform③⑦">client platforms</a>, or <a data-link-type="dfn" href="#authenticator" id="ref-for-authenticator①②⑦">authenticators</a> display a <code class="idl"><a data-link-type="idl" href="#dom-publickeycredentialuserentity-displayname" id="ref-for-dom-publickeycredentialuserentity-displayname⑨">displayName</a></code>'s value, they should always use UI elements to provide a clear boundary around the displayed value, and not allow overflow into other elements <a data-link-type="biblio" href="#biblio-css-overflow-3" title="CSS Overflow Module Level 3">[css-overflow-3]</a>.</p> <p>When storing a <code class="idl"><a data-link-type="idl" href="#dom-publickeycredentialuserentity-displayname" id="ref-for-dom-publickeycredentialuserentity-displayname①⓪">displayName</a></code> member’s value, the value MAY be truncated as described in <a href="#sctn-strings-truncation">§ 6.4.1 String Truncation</a> using a size limit greater than or equal to 64 bytes.</p> </dl> @@ -4344,20 +4347,20 @@ <h4 class="heading settled" data-level="5.4.4" id="dictionary-authenticatorSelec in a successful <code class="idl"><a data-link-type="idl" href="https://w3c.github.io/webappsec-credential-management/#dom-credentialscontainer-create" id="ref-for-dom-credentialscontainer-create①⑨">create()</a></code> or <code class="idl"><a data-link-type="idl" href="https://w3c.github.io/webappsec-credential-management/#dom-credentialscontainer-get" id="ref-for-dom-credentialscontainer-get②④">get()</a></code> operation.</p> <dt data-md><dfn class="dfn-paneled idl-code" data-dfn-for="AuthenticatorSelectionCriteria" data-dfn-type="dict-member" data-export id="dom-authenticatorselectioncriteria-residentkey"><code>residentKey</code></dfn>, <span> of type <a data-link-type="idl-name" href="https://webidl.spec.whatwg.org/#idl-DOMString" id="ref-for-idl-DOMString⑤③">DOMString</a></span> <dd data-md> - <p>Specifies the extent to which the <a data-link-type="dfn" href="#relying-party" id="ref-for-relying-party①④⑥">Relying Party</a> desires to create a <a data-link-type="dfn" href="#client-side-discoverable-credential" id="ref-for-client-side-discoverable-credential⑥">client-side discoverable credential</a>. For historical reasons the naming retains the deprecated “resident” terminology. The value SHOULD be a member of <code class="idl"><a data-link-type="idl" href="#enumdef-residentkeyrequirement" id="ref-for-enumdef-residentkeyrequirement">ResidentKeyRequirement</a></code> but <a data-link-type="dfn" href="#client-platform" id="ref-for-client-platform③⑨">client platforms</a> MUST ignore unknown values, treating an unknown value as if the <a data-link-type="dfn" href="https://infra.spec.whatwg.org/#map-exists" id="ref-for-map-exists③">member does not exist</a>. If no value is given then the effective value is <code class="idl"><a data-link-type="idl" href="#dom-residentkeyrequirement-required" id="ref-for-dom-residentkeyrequirement-required③">required</a></code> if <code class="idl"><a data-link-type="idl" href="#dom-authenticatorselectioncriteria-requireresidentkey" id="ref-for-dom-authenticatorselectioncriteria-requireresidentkey③">requireResidentKey</a></code> is <code>true</code> or <code class="idl"><a data-link-type="idl" href="#dom-residentkeyrequirement-discouraged" id="ref-for-dom-residentkeyrequirement-discouraged②">discouraged</a></code> if it is <code>false</code> or absent.</p> + <p>Specifies the extent to which the <a data-link-type="dfn" href="#relying-party" id="ref-for-relying-party①④⑦">Relying Party</a> desires to create a <a data-link-type="dfn" href="#client-side-discoverable-credential" id="ref-for-client-side-discoverable-credential⑥">client-side discoverable credential</a>. For historical reasons the naming retains the deprecated “resident” terminology. The value SHOULD be a member of <code class="idl"><a data-link-type="idl" href="#enumdef-residentkeyrequirement" id="ref-for-enumdef-residentkeyrequirement">ResidentKeyRequirement</a></code> but <a data-link-type="dfn" href="#client-platform" id="ref-for-client-platform③⑨">client platforms</a> MUST ignore unknown values, treating an unknown value as if the <a data-link-type="dfn" href="https://infra.spec.whatwg.org/#map-exists" id="ref-for-map-exists③">member does not exist</a>. If no value is given then the effective value is <code class="idl"><a data-link-type="idl" href="#dom-residentkeyrequirement-required" id="ref-for-dom-residentkeyrequirement-required③">required</a></code> if <code class="idl"><a data-link-type="idl" href="#dom-authenticatorselectioncriteria-requireresidentkey" id="ref-for-dom-authenticatorselectioncriteria-requireresidentkey③">requireResidentKey</a></code> is <code>true</code> or <code class="idl"><a data-link-type="idl" href="#dom-residentkeyrequirement-discouraged" id="ref-for-dom-residentkeyrequirement-discouraged②">discouraged</a></code> if it is <code>false</code> or absent.</p> <p>See <code class="idl"><a data-link-type="idl" href="#enumdef-residentkeyrequirement" id="ref-for-enumdef-residentkeyrequirement①">ResidentKeyRequirement</a></code> for the description of <code class="idl"><a data-link-type="idl" href="#dom-authenticatorselectioncriteria-residentkey" id="ref-for-dom-authenticatorselectioncriteria-residentkey④">residentKey</a></code>'s values and semantics.</p> <dt data-md><dfn class="dfn-paneled idl-code" data-dfn-for="AuthenticatorSelectionCriteria" data-dfn-type="dict-member" data-export id="dom-authenticatorselectioncriteria-requireresidentkey"><code>requireResidentKey</code></dfn>, <span> of type <a data-link-type="idl-name" href="https://webidl.spec.whatwg.org/#idl-boolean" id="ref-for-idl-boolean④">boolean</a>, defaulting to <code>false</code></span> <dd data-md> - <p>This member is retained for backwards compatibility with WebAuthn Level 1 and, for historical reasons, its naming retains the deprecated “resident” terminology for <a data-link-type="dfn" href="#discoverable-credential" id="ref-for-discoverable-credential⑧">discoverable credentials</a>. <a data-link-type="dfn" href="#relying-party" id="ref-for-relying-party①④⑦">Relying Parties</a> SHOULD set it to <code>true</code> if, and only if, <code class="idl"><a data-link-type="idl" href="#dom-authenticatorselectioncriteria-residentkey" id="ref-for-dom-authenticatorselectioncriteria-residentkey⑤">residentKey</a></code> is set to <code class="idl"><a data-link-type="idl" href="#dom-residentkeyrequirement-required" id="ref-for-dom-residentkeyrequirement-required④">required</a></code>.</p> + <p>This member is retained for backwards compatibility with WebAuthn Level 1 and, for historical reasons, its naming retains the deprecated “resident” terminology for <a data-link-type="dfn" href="#discoverable-credential" id="ref-for-discoverable-credential⑧">discoverable credentials</a>. <a data-link-type="dfn" href="#relying-party" id="ref-for-relying-party①④⑧">Relying Parties</a> SHOULD set it to <code>true</code> if, and only if, <code class="idl"><a data-link-type="idl" href="#dom-authenticatorselectioncriteria-residentkey" id="ref-for-dom-authenticatorselectioncriteria-residentkey⑤">residentKey</a></code> is set to <code class="idl"><a data-link-type="idl" href="#dom-residentkeyrequirement-required" id="ref-for-dom-residentkeyrequirement-required④">required</a></code>.</p> <dt data-md><dfn class="dfn-paneled idl-code" data-dfn-for="AuthenticatorSelectionCriteria" data-dfn-type="dict-member" data-export id="dom-authenticatorselectioncriteria-userverification"><code>userVerification</code></dfn>, <span> of type <a data-link-type="idl-name" href="https://webidl.spec.whatwg.org/#idl-DOMString" id="ref-for-idl-DOMString⑤④">DOMString</a>, defaulting to <code>"preferred"</code></span> <dd data-md> - <p>This member specifies the <a data-link-type="dfn" href="#relying-party" id="ref-for-relying-party①④⑧">Relying Party</a>'s requirements regarding <a data-link-type="dfn" href="#user-verification" id="ref-for-user-verification②③">user verification</a> for the <code class="idl"><a data-link-type="idl" href="https://w3c.github.io/webappsec-credential-management/#dom-credentialscontainer-create" id="ref-for-dom-credentialscontainer-create②⓪">create()</a></code> operation. + <p>This member specifies the <a data-link-type="dfn" href="#relying-party" id="ref-for-relying-party①④⑨">Relying Party</a>'s requirements regarding <a data-link-type="dfn" href="#user-verification" id="ref-for-user-verification②③">user verification</a> for the <code class="idl"><a data-link-type="idl" href="https://w3c.github.io/webappsec-credential-management/#dom-credentialscontainer-create" id="ref-for-dom-credentialscontainer-create②⓪">create()</a></code> operation. The value SHOULD be a member of <code class="idl"><a data-link-type="idl" href="#enumdef-userverificationrequirement" id="ref-for-enumdef-userverificationrequirement">UserVerificationRequirement</a></code> but <a data-link-type="dfn" href="#client-platform" id="ref-for-client-platform④⓪">client platforms</a> MUST ignore unknown values, treating an unknown value as if the <a data-link-type="dfn" href="https://infra.spec.whatwg.org/#map-exists" id="ref-for-map-exists④">member does not exist</a>.</p> <p>See <code class="idl"><a data-link-type="idl" href="#enumdef-userverificationrequirement" id="ref-for-enumdef-userverificationrequirement①">UserVerificationRequirement</a></code> for the description of <code class="idl"><a data-link-type="idl" href="#dom-authenticatorselectioncriteria-userverification" id="ref-for-dom-authenticatorselectioncriteria-userverification④">userVerification</a></code>'s values and semantics.</p> </dl> </div> <h4 class="heading settled" data-level="5.4.5" id="enum-attachment"><span class="secno">5.4.5. </span><span class="content">Authenticator Attachment Enumeration (enum <dfn class="dfn-paneled idl-code" data-dfn-type="enum" data-export id="enumdef-authenticatorattachment"><code>AuthenticatorAttachment</code></dfn>)</span><a class="self-link" href="#enum-attachment"></a></h4> - <p>This enumeration’s values describe <a data-link-type="dfn" href="#authenticator" id="ref-for-authenticator①②⑨">authenticators</a>' <a data-link-type="dfn" href="#authenticator-attachment-modality" id="ref-for-authenticator-attachment-modality⑥">attachment modalities</a>. <a data-link-type="dfn" href="#relying-party" id="ref-for-relying-party①④⑨">Relying Parties</a> use this to express a preferred <a data-link-type="dfn" href="#authenticator-attachment-modality" id="ref-for-authenticator-attachment-modality⑦">authenticator attachment modality</a> when calling <code class="idl"><a data-link-type="idl" href="https://w3c.github.io/webappsec-credential-management/#dom-credentialscontainer-create" id="ref-for-dom-credentialscontainer-create②①">navigator.credentials.create()</a></code> to <a href="#sctn-createCredential">create a credential</a>, and <a data-link-type="dfn" href="#client" id="ref-for-client⑤⑥">clients</a> use this to report the <a data-link-type="dfn" href="#authenticator-attachment-modality" id="ref-for-authenticator-attachment-modality⑧">authenticator attachment modality</a> used to complete a <a data-link-type="dfn" href="#registration-ceremony" id="ref-for-registration-ceremony⑥">registration</a> or <a data-link-type="dfn" href="#authentication-ceremony" id="ref-for-authentication-ceremony②①">authentication ceremony</a>.</p> + <p>This enumeration’s values describe <a data-link-type="dfn" href="#authenticator" id="ref-for-authenticator①②⑨">authenticators</a>' <a data-link-type="dfn" href="#authenticator-attachment-modality" id="ref-for-authenticator-attachment-modality⑥">attachment modalities</a>. <a data-link-type="dfn" href="#relying-party" id="ref-for-relying-party①⑤⓪">Relying Parties</a> use this to express a preferred <a data-link-type="dfn" href="#authenticator-attachment-modality" id="ref-for-authenticator-attachment-modality⑦">authenticator attachment modality</a> when calling <code class="idl"><a data-link-type="idl" href="https://w3c.github.io/webappsec-credential-management/#dom-credentialscontainer-create" id="ref-for-dom-credentialscontainer-create②①">navigator.credentials.create()</a></code> to <a href="#sctn-createCredential">create a credential</a>, and <a data-link-type="dfn" href="#client" id="ref-for-client⑤⑦">clients</a> use this to report the <a data-link-type="dfn" href="#authenticator-attachment-modality" id="ref-for-authenticator-attachment-modality⑧">authenticator attachment modality</a> used to complete a <a data-link-type="dfn" href="#registration-ceremony" id="ref-for-registration-ceremony⑥">registration</a> or <a data-link-type="dfn" href="#authentication-ceremony" id="ref-for-authentication-ceremony②①">authentication ceremony</a>.</p> <pre class="idl highlight def"><c- b>enum</c-> <a class="idl-code" data-link-type="enum" href="#enumdef-authenticatorattachment" id="ref-for-enumdef-authenticatorattachment④"><c- g>AuthenticatorAttachment</c-></a> { <a class="idl-code" data-link-type="enum-value" href="#dom-authenticatorattachment-platform" id="ref-for-dom-authenticatorattachment-platform"><c- s>"platform"</c-></a>, <a class="idl-code" data-link-type="enum-value" href="#dom-authenticatorattachment-cross-platform" id="ref-for-dom-authenticatorattachment-cross-platform"><c- s>"cross-platform"</c-></a> @@ -4375,9 +4378,9 @@ <h4 class="heading settled" data-level="5.4.5" id="enum-attachment"><span class= </dl> </div> <p class="note" role="note"><span class="marker">Note:</span> An <a data-link-type="dfn" href="#authenticator-attachment-modality" id="ref-for-authenticator-attachment-modality⑨">authenticator attachment modality</a> selection option is available only in the <code class="idl"><a data-link-type="idl" href="#dom-publickeycredential-create-slot" id="ref-for-dom-publickeycredential-create-slot③">[[Create]](origin, options, -sameOriginWithAncestors)</a></code> operation. The <a data-link-type="dfn" href="#relying-party" id="ref-for-relying-party①⑤⓪">Relying Party</a> may use it to, for example, ensure the user has a <a data-link-type="dfn" href="#roaming-credential" id="ref-for-roaming-credential">roaming credential</a> for +sameOriginWithAncestors)</a></code> operation. The <a data-link-type="dfn" href="#relying-party" id="ref-for-relying-party①⑤①">Relying Party</a> may use it to, for example, ensure the user has a <a data-link-type="dfn" href="#roaming-credential" id="ref-for-roaming-credential">roaming credential</a> for authenticating on another <a data-link-type="dfn" href="#client-device" id="ref-for-client-device①⑥">client device</a>; or to specifically register a <a data-link-type="dfn" href="#platform-credential" id="ref-for-platform-credential">platform credential</a> for easier reauthentication using a -particular <a data-link-type="dfn" href="#client-device" id="ref-for-client-device①⑦">client device</a>. The <code class="idl"><a data-link-type="idl" href="#dom-publickeycredential-discoverfromexternalsource-slot" id="ref-for-dom-publickeycredential-discoverfromexternalsource-slot⑤">[[DiscoverFromExternalSource]](origin, options, sameOriginWithAncestors)</a></code> operation has no <a data-link-type="dfn" href="#authenticator-attachment-modality" id="ref-for-authenticator-attachment-modality①⓪">authenticator attachment modality</a> selection option, so the <a data-link-type="dfn" href="#relying-party" id="ref-for-relying-party①⑤①">Relying Party</a> SHOULD accept any of the user’s registered <a data-link-type="dfn" href="#public-key-credential" id="ref-for-public-key-credential③⑥">credentials</a>. The <a data-link-type="dfn" href="#client" id="ref-for-client⑤⑦">client</a> and user will then use whichever is available and convenient at the time.</p> +particular <a data-link-type="dfn" href="#client-device" id="ref-for-client-device①⑦">client device</a>. The <code class="idl"><a data-link-type="idl" href="#dom-publickeycredential-discoverfromexternalsource-slot" id="ref-for-dom-publickeycredential-discoverfromexternalsource-slot⑤">[[DiscoverFromExternalSource]](origin, options, sameOriginWithAncestors)</a></code> operation has no <a data-link-type="dfn" href="#authenticator-attachment-modality" id="ref-for-authenticator-attachment-modality①⓪">authenticator attachment modality</a> selection option, so the <a data-link-type="dfn" href="#relying-party" id="ref-for-relying-party①⑤②">Relying Party</a> SHOULD accept any of the user’s registered <a data-link-type="dfn" href="#public-key-credential" id="ref-for-public-key-credential③⑥">credentials</a>. The <a data-link-type="dfn" href="#client" id="ref-for-client⑤⑧">client</a> and user will then use whichever is available and convenient at the time.</p> <h4 class="heading settled" data-level="5.4.6" id="enum-residentKeyRequirement"><span class="secno">5.4.6. </span><span class="content">Resident Key Requirement Enumeration (enum <dfn class="dfn-paneled idl-code" data-dfn-type="enum" data-export id="enumdef-residentkeyrequirement"><code>ResidentKeyRequirement</code></dfn>)</span><a class="self-link" href="#enum-residentKeyRequirement"></a></h4> <pre class="idl highlight def"><c- b>enum</c-> <a class="idl-code" data-link-type="enum" href="#enumdef-residentkeyrequirement" id="ref-for-enumdef-residentkeyrequirement②"><c- g>ResidentKeyRequirement</c-></a> { <a class="idl-code" data-link-type="enum-value" href="#dom-residentkeyrequirement-discouraged" id="ref-for-dom-residentkeyrequirement-discouraged③"><c- s>"discouraged"</c-></a>, @@ -4386,26 +4389,26 @@ <h4 class="heading settled" data-level="5.4.6" id="enum-residentKeyRequirement"> }; </pre> <p class="note" role="note"><span class="marker">Note:</span> The <code class="idl"><a data-link-type="idl" href="#enumdef-residentkeyrequirement" id="ref-for-enumdef-residentkeyrequirement③">ResidentKeyRequirement</a></code> enumeration is deliberately not referenced, see <a href="#sct-domstring-backwards-compatibility">§ 2.1.1 Enumerations as DOMString types</a>.</p> - <p>This enumeration’s values describe the <a data-link-type="dfn" href="#relying-party" id="ref-for-relying-party①⑤②">Relying Party</a>'s requirements for <a data-link-type="dfn" href="#client-side-discoverable-credential" id="ref-for-client-side-discoverable-credential⑦">client-side discoverable credentials</a> (formerly known as <a data-link-type="dfn" href="#resident-credential" id="ref-for-resident-credential①">resident credentials</a> or <a data-link-type="dfn" href="#resident-key" id="ref-for-resident-key②">resident keys</a>):</p> + <p>This enumeration’s values describe the <a data-link-type="dfn" href="#relying-party" id="ref-for-relying-party①⑤③">Relying Party</a>'s requirements for <a data-link-type="dfn" href="#client-side-discoverable-credential" id="ref-for-client-side-discoverable-credential⑦">client-side discoverable credentials</a> (formerly known as <a data-link-type="dfn" href="#resident-credential" id="ref-for-resident-credential①">resident credentials</a> or <a data-link-type="dfn" href="#resident-key" id="ref-for-resident-key②">resident keys</a>):</p> <div> <dl> <dt data-md><dfn class="dfn-paneled idl-code" data-dfn-for="ResidentKeyRequirement" data-dfn-type="enum-value" data-export data-lt=""discouraged"|discouraged" id="dom-residentkeyrequirement-discouraged"><code>discouraged</code></dfn> <dd data-md> - <p>The <a data-link-type="dfn" href="#relying-party" id="ref-for-relying-party①⑤③">Relying Party</a> prefers creating a <a data-link-type="dfn" href="#server-side-credential" id="ref-for-server-side-credential⑥">server-side credential</a>, but will accept a <a data-link-type="dfn" href="#client-side-discoverable-credential" id="ref-for-client-side-discoverable-credential⑧">client-side discoverable credential</a>. -The <a data-link-type="dfn" href="#client" id="ref-for-client⑤⑧">client</a> and <a data-link-type="dfn" href="#authenticator" id="ref-for-authenticator①③⓪">authenticator</a> SHOULD create a <a data-link-type="dfn" href="#server-side-credential" id="ref-for-server-side-credential⑦">server-side credential</a> if possible.</p> - <p class="note" role="note"><span class="marker">Note:</span> A <a data-link-type="dfn" href="#relying-party" id="ref-for-relying-party①⑤④">Relying Party</a> cannot require that a created credential is a <a data-link-type="dfn" href="#server-side-credential" id="ref-for-server-side-credential⑧">server-side credential</a> and the <a data-link-type="dfn" href="#credprops" id="ref-for-credprops②">Credential Properties Extension</a> may not return a value for the <code class="idl"><a data-link-type="idl" href="#dom-credentialpropertiesoutput-rk" id="ref-for-dom-credentialpropertiesoutput-rk">rk</a></code> property. Because of this, it may be the case that it does not know if a credential is a <a data-link-type="dfn" href="#server-side-credential" id="ref-for-server-side-credential⑨">server-side credential</a> or not and thus does not know whether creating a second credential with the same <a data-link-type="dfn" href="#user-handle" id="ref-for-user-handle②⓪">user handle</a> will evict the first.</p> + <p>The <a data-link-type="dfn" href="#relying-party" id="ref-for-relying-party①⑤④">Relying Party</a> prefers creating a <a data-link-type="dfn" href="#server-side-credential" id="ref-for-server-side-credential⑥">server-side credential</a>, but will accept a <a data-link-type="dfn" href="#client-side-discoverable-credential" id="ref-for-client-side-discoverable-credential⑧">client-side discoverable credential</a>. +The <a data-link-type="dfn" href="#client" id="ref-for-client⑤⑨">client</a> and <a data-link-type="dfn" href="#authenticator" id="ref-for-authenticator①③⓪">authenticator</a> SHOULD create a <a data-link-type="dfn" href="#server-side-credential" id="ref-for-server-side-credential⑦">server-side credential</a> if possible.</p> + <p class="note" role="note"><span class="marker">Note:</span> A <a data-link-type="dfn" href="#relying-party" id="ref-for-relying-party①⑤⑤">Relying Party</a> cannot require that a created credential is a <a data-link-type="dfn" href="#server-side-credential" id="ref-for-server-side-credential⑧">server-side credential</a> and the <a data-link-type="dfn" href="#credprops" id="ref-for-credprops②">Credential Properties Extension</a> may not return a value for the <code class="idl"><a data-link-type="idl" href="#dom-credentialpropertiesoutput-rk" id="ref-for-dom-credentialpropertiesoutput-rk">rk</a></code> property. Because of this, it may be the case that it does not know if a credential is a <a data-link-type="dfn" href="#server-side-credential" id="ref-for-server-side-credential⑨">server-side credential</a> or not and thus does not know whether creating a second credential with the same <a data-link-type="dfn" href="#user-handle" id="ref-for-user-handle②⓪">user handle</a> will evict the first.</p> <dt data-md><dfn class="dfn-paneled idl-code" data-dfn-for="ResidentKeyRequirement" data-dfn-type="enum-value" data-export data-lt=""preferred"|preferred" id="dom-residentkeyrequirement-preferred"><code>preferred</code></dfn> <dd data-md> - <p>The <a data-link-type="dfn" href="#relying-party" id="ref-for-relying-party①⑤⑤">Relying Party</a> strongly prefers creating a <a data-link-type="dfn" href="#client-side-discoverable-credential" id="ref-for-client-side-discoverable-credential⑨">client-side discoverable credential</a>, but will accept a <a data-link-type="dfn" href="#server-side-credential" id="ref-for-server-side-credential①⓪">server-side credential</a>. -The <a data-link-type="dfn" href="#client" id="ref-for-client⑤⑨">client</a> and <a data-link-type="dfn" href="#authenticator" id="ref-for-authenticator①③①">authenticator</a> SHOULD create a <a data-link-type="dfn" href="#discoverable-credential" id="ref-for-discoverable-credential⑨">discoverable credential</a> if possible. -For example, the <a data-link-type="dfn" href="#client" id="ref-for-client⑥⓪">client</a> SHOULD guide the user through setting up <a data-link-type="dfn" href="#user-verification" id="ref-for-user-verification②④">user verification</a> if needed to create a <a data-link-type="dfn" href="#discoverable-credential" id="ref-for-discoverable-credential①⓪">discoverable credential</a>. This takes precedence over the setting of <code class="idl"><a data-link-type="idl" href="#dom-authenticatorselectioncriteria-userverification" id="ref-for-dom-authenticatorselectioncriteria-userverification⑤">userVerification</a></code>.</p> + <p>The <a data-link-type="dfn" href="#relying-party" id="ref-for-relying-party①⑤⑥">Relying Party</a> strongly prefers creating a <a data-link-type="dfn" href="#client-side-discoverable-credential" id="ref-for-client-side-discoverable-credential⑨">client-side discoverable credential</a>, but will accept a <a data-link-type="dfn" href="#server-side-credential" id="ref-for-server-side-credential①⓪">server-side credential</a>. +The <a data-link-type="dfn" href="#client" id="ref-for-client⑥⓪">client</a> and <a data-link-type="dfn" href="#authenticator" id="ref-for-authenticator①③①">authenticator</a> SHOULD create a <a data-link-type="dfn" href="#discoverable-credential" id="ref-for-discoverable-credential⑨">discoverable credential</a> if possible. +For example, the <a data-link-type="dfn" href="#client" id="ref-for-client⑥①">client</a> SHOULD guide the user through setting up <a data-link-type="dfn" href="#user-verification" id="ref-for-user-verification②④">user verification</a> if needed to create a <a data-link-type="dfn" href="#discoverable-credential" id="ref-for-discoverable-credential①⓪">discoverable credential</a>. This takes precedence over the setting of <code class="idl"><a data-link-type="idl" href="#dom-authenticatorselectioncriteria-userverification" id="ref-for-dom-authenticatorselectioncriteria-userverification⑤">userVerification</a></code>.</p> <dt data-md><dfn class="dfn-paneled idl-code" data-dfn-for="ResidentKeyRequirement" data-dfn-type="enum-value" data-export data-lt=""required"|required" id="dom-residentkeyrequirement-required"><code>required</code></dfn> <dd data-md> - <p>The <a data-link-type="dfn" href="#relying-party" id="ref-for-relying-party①⑤⑥">Relying Party</a> requires a <a data-link-type="dfn" href="#client-side-discoverable-credential" id="ref-for-client-side-discoverable-credential①⓪">client-side discoverable credential</a>. -The <a data-link-type="dfn" href="#client" id="ref-for-client⑥①">client</a> MUST return an error if a <a data-link-type="dfn" href="#client-side-discoverable-credential" id="ref-for-client-side-discoverable-credential①①">client-side discoverable credential</a> cannot be created.</p> + <p>The <a data-link-type="dfn" href="#relying-party" id="ref-for-relying-party①⑤⑦">Relying Party</a> requires a <a data-link-type="dfn" href="#client-side-discoverable-credential" id="ref-for-client-side-discoverable-credential①⓪">client-side discoverable credential</a>. +The <a data-link-type="dfn" href="#client" id="ref-for-client⑥②">client</a> MUST return an error if a <a data-link-type="dfn" href="#client-side-discoverable-credential" id="ref-for-client-side-discoverable-credential①①">client-side discoverable credential</a> cannot be created.</p> </dl> </div> - <p class="note" role="note"><span class="marker">Note:</span> The <a data-link-type="dfn" href="#relying-party" id="ref-for-relying-party①⑤⑦">Relying Party</a> can seek information on whether or not the authenticator created a <a data-link-type="dfn" href="#client-side-discoverable-credential" id="ref-for-client-side-discoverable-credential①②">client-side discoverable credential</a> using the <a data-link-type="dfn" href="#credentialpropertiesoutput-resident-key-credential-property" id="ref-for-credentialpropertiesoutput-resident-key-credential-property">resident key credential property</a> of the <a data-link-type="dfn" href="#credprops" id="ref-for-credprops③">Credential Properties Extension</a>. + <p class="note" role="note"><span class="marker">Note:</span> The <a data-link-type="dfn" href="#relying-party" id="ref-for-relying-party①⑤⑧">Relying Party</a> can seek information on whether or not the authenticator created a <a data-link-type="dfn" href="#client-side-discoverable-credential" id="ref-for-client-side-discoverable-credential①②">client-side discoverable credential</a> using the <a data-link-type="dfn" href="#credentialpropertiesoutput-resident-key-credential-property" id="ref-for-credentialpropertiesoutput-resident-key-credential-property">resident key credential property</a> of the <a data-link-type="dfn" href="#credprops" id="ref-for-credprops③">Credential Properties Extension</a>. This is useful when values of <code class="idl"><a data-link-type="idl" href="#dom-residentkeyrequirement-discouraged" id="ref-for-dom-residentkeyrequirement-discouraged④">discouraged</a></code> or <code class="idl"><a data-link-type="idl" href="#dom-residentkeyrequirement-preferred" id="ref-for-dom-residentkeyrequirement-preferred③">preferred</a></code> are used for <code><var>options</var>.<code class="idl"><a data-link-type="idl" href="#dom-publickeycredentialcreationoptions-authenticatorselection" id="ref-for-dom-publickeycredentialcreationoptions-authenticatorselection⑨">authenticatorSelection</a></code>.<code class="idl"><a data-link-type="idl" href="#dom-authenticatorselectioncriteria-residentkey" id="ref-for-dom-authenticatorselectioncriteria-residentkey⑥">residentKey</a></code></code>, because in those cases it is possible for an <a data-link-type="dfn" href="#authenticator" id="ref-for-authenticator①③②">authenticator</a> to create <em>either</em> a <a data-link-type="dfn" href="#client-side-discoverable-credential" id="ref-for-client-side-discoverable-credential①③">client-side discoverable credential</a> or a <a data-link-type="dfn" href="#server-side-credential" id="ref-for-server-side-credential①①">server-side credential</a>.</p> <h4 class="heading settled" data-level="5.4.7" id="enum-attestation-convey"><span class="secno">5.4.7. </span><span class="content"><dfn class="dfn-paneled" data-dfn-type="dfn" data-noexport id="attestation-conveyance">Attestation Conveyance</dfn> Preference Enumeration (enum <dfn class="dfn-paneled idl-code" data-dfn-type="enum" data-export id="enumdef-attestationconveyancepreference"><code>AttestationConveyancePreference</code></dfn>)</span><a class="self-link" href="#enum-attestation-convey"></a></h4> <p><a data-link-type="dfn" href="#webauthn-relying-party" id="ref-for-webauthn-relying-party③⑨">WebAuthn Relying Parties</a> may use <code class="idl"><a data-link-type="idl" href="#enumdef-attestationconveyancepreference" id="ref-for-enumdef-attestationconveyancepreference①">AttestationConveyancePreference</a></code> to specify their preference regarding <a data-link-type="dfn" href="#attestation-conveyance" id="ref-for-attestation-conveyance②">attestation conveyance</a> during credential generation.</p> @@ -4421,27 +4424,27 @@ <h4 class="heading settled" data-level="5.4.7" id="enum-attestation-convey"><spa <dl> <dt data-md><dfn class="dfn-paneled idl-code" data-dfn-for="AttestationConveyancePreference" data-dfn-type="enum-value" data-export data-lt=""none"|none" id="dom-attestationconveyancepreference-none"><code>none</code></dfn> <dd data-md> - <p>The <a data-link-type="dfn" href="#relying-party" id="ref-for-relying-party①⑤⑧">Relying Party</a> is not interested in <a data-link-type="dfn" href="#authenticator" id="ref-for-authenticator①③③">authenticator</a> <a data-link-type="dfn" href="#attestation" id="ref-for-attestation⑨">attestation</a>. For example, in order to -potentially avoid having to obtain <a data-link-type="dfn" href="#user-consent" id="ref-for-user-consent①③">user consent</a> to relay identifying information to the <a data-link-type="dfn" href="#relying-party" id="ref-for-relying-party①⑤⑨">Relying Party</a>, or to save a + <p>The <a data-link-type="dfn" href="#relying-party" id="ref-for-relying-party①⑤⑨">Relying Party</a> is not interested in <a data-link-type="dfn" href="#authenticator" id="ref-for-authenticator①③③">authenticator</a> <a data-link-type="dfn" href="#attestation" id="ref-for-attestation⑨">attestation</a>. For example, in order to +potentially avoid having to obtain <a data-link-type="dfn" href="#user-consent" id="ref-for-user-consent①③">user consent</a> to relay identifying information to the <a data-link-type="dfn" href="#relying-party" id="ref-for-relying-party①⑥⓪">Relying Party</a>, or to save a roundtrip to an <a data-link-type="dfn" href="#attestation-ca" id="ref-for-attestation-ca">Attestation CA</a> or <a data-link-type="dfn" href="#anonymization-ca" id="ref-for-anonymization-ca①">Anonymization CA</a>. If the <a data-link-type="dfn" href="#authenticator" id="ref-for-authenticator①③④">authenticator</a> generates an <a data-link-type="dfn" href="#attestation-statement" id="ref-for-attestation-statement⑨">attestation statement</a> that is not a <a data-link-type="dfn" href="#self-attestation" id="ref-for-self-attestation⑤">self attestation</a>, -the <a data-link-type="dfn" href="#client" id="ref-for-client⑥②">client</a> will replace it with a <a data-link-type="dfn" href="#none" id="ref-for-none">None</a> attestation statement.</p> +the <a data-link-type="dfn" href="#client" id="ref-for-client⑥③">client</a> will replace it with a <a data-link-type="dfn" href="#none" id="ref-for-none">None</a> attestation statement.</p> <p>This is the default, and unknown values fall back to the behavior of this value.</p> <dt data-md><dfn class="dfn-paneled idl-code" data-dfn-for="AttestationConveyancePreference" data-dfn-type="enum-value" data-export data-lt=""indirect"|indirect" id="dom-attestationconveyancepreference-indirect"><code>indirect</code></dfn> <dd data-md> - <p>The <a data-link-type="dfn" href="#relying-party" id="ref-for-relying-party①⑥⓪">Relying Party</a> wants to receive a verifiable <a data-link-type="dfn" href="#attestation-statement" id="ref-for-attestation-statement①⓪">attestation statement</a>, -but allows the <a data-link-type="dfn" href="#client" id="ref-for-client⑥③">client</a> to decide how to obtain such an <a data-link-type="dfn" href="#attestation-statement" id="ref-for-attestation-statement①①">attestation statement</a>. + <p>The <a data-link-type="dfn" href="#relying-party" id="ref-for-relying-party①⑥①">Relying Party</a> wants to receive a verifiable <a data-link-type="dfn" href="#attestation-statement" id="ref-for-attestation-statement①⓪">attestation statement</a>, +but allows the <a data-link-type="dfn" href="#client" id="ref-for-client⑥④">client</a> to decide how to obtain such an <a data-link-type="dfn" href="#attestation-statement" id="ref-for-attestation-statement①①">attestation statement</a>. The client MAY replace an authenticator-generated <a data-link-type="dfn" href="#attestation-statement" id="ref-for-attestation-statement①②">attestation statement</a> with one generated by an <a data-link-type="dfn" href="#anonymization-ca" id="ref-for-anonymization-ca②">Anonymization CA</a>, -in order to protect the user’s privacy, or to assist <a data-link-type="dfn" href="#relying-party" id="ref-for-relying-party①⑥①">Relying Parties</a> with attestation verification in a heterogeneous ecosystem.</p> - <p class="note" role="note"><span class="marker">Note:</span> There is no guarantee that the <a data-link-type="dfn" href="#relying-party" id="ref-for-relying-party①⑥②">Relying Party</a> will obtain a verifiable <a data-link-type="dfn" href="#attestation-statement" id="ref-for-attestation-statement①③">attestation statement</a> in this case. -For example, in the case that the authenticator employs <a data-link-type="dfn" href="#self-attestation" id="ref-for-self-attestation⑥">self attestation</a> and the <a data-link-type="dfn" href="#client" id="ref-for-client⑥④">client</a> passes the <a data-link-type="dfn" href="#attestation-statement" id="ref-for-attestation-statement①④">attestation statement</a> through unmodified.</p> +in order to protect the user’s privacy, or to assist <a data-link-type="dfn" href="#relying-party" id="ref-for-relying-party①⑥②">Relying Parties</a> with attestation verification in a heterogeneous ecosystem.</p> + <p class="note" role="note"><span class="marker">Note:</span> There is no guarantee that the <a data-link-type="dfn" href="#relying-party" id="ref-for-relying-party①⑥③">Relying Party</a> will obtain a verifiable <a data-link-type="dfn" href="#attestation-statement" id="ref-for-attestation-statement①③">attestation statement</a> in this case. +For example, in the case that the authenticator employs <a data-link-type="dfn" href="#self-attestation" id="ref-for-self-attestation⑥">self attestation</a> and the <a data-link-type="dfn" href="#client" id="ref-for-client⑥⑤">client</a> passes the <a data-link-type="dfn" href="#attestation-statement" id="ref-for-attestation-statement①④">attestation statement</a> through unmodified.</p> <dt data-md><dfn class="dfn-paneled idl-code" data-dfn-for="AttestationConveyancePreference" data-dfn-type="enum-value" data-export data-lt=""direct"|direct" id="dom-attestationconveyancepreference-direct"><code>direct</code></dfn> <dd data-md> - <p>The <a data-link-type="dfn" href="#relying-party" id="ref-for-relying-party①⑥③">Relying Party</a> wants to receive the <a data-link-type="dfn" href="#attestation-statement" id="ref-for-attestation-statement①⑤">attestation statement</a> as generated by the <a data-link-type="dfn" href="#authenticator" id="ref-for-authenticator①③⑤">authenticator</a>.</p> + <p>The <a data-link-type="dfn" href="#relying-party" id="ref-for-relying-party①⑥④">Relying Party</a> wants to receive the <a data-link-type="dfn" href="#attestation-statement" id="ref-for-attestation-statement①⑤">attestation statement</a> as generated by the <a data-link-type="dfn" href="#authenticator" id="ref-for-authenticator①③⑤">authenticator</a>.</p> <dt data-md><dfn class="dfn-paneled idl-code" data-dfn-for="AttestationConveyancePreference" data-dfn-type="enum-value" data-export data-lt=""enterprise"|enterprise" id="dom-attestationconveyancepreference-enterprise"><code>enterprise</code></dfn> <dd data-md> - <p>The <a data-link-type="dfn" href="#relying-party" id="ref-for-relying-party①⑥④">Relying Party</a> wants to receive an enterprise attestation, which is an <a data-link-type="dfn" href="#attestation-statement" id="ref-for-attestation-statement①⑥">attestation statement</a> that may include information which uniquely identifies the authenticator. This is intended for controlled deployments within an enterprise where the organization wishes to tie registrations to specific authenticators. User agents MUST NOT provide such an attestation unless the user agent or authenticator configuration permits it for the requested <a data-link-type="dfn" href="#rp-id" id="ref-for-rp-id②⑤">RP ID</a>.</p> - <p>If permitted, the user agent SHOULD signal to the authenticator (at <a href="#CreateCred-InvokeAuthnrMakeCred">invocation time</a>) that enterprise attestation is requested, and convey the resulting <a data-link-type="dfn" href="#aaguid" id="ref-for-aaguid①">AAGUID</a> and <a data-link-type="dfn" href="#attestation-statement" id="ref-for-attestation-statement①⑦">attestation statement</a>, unaltered, to the <a data-link-type="dfn" href="#relying-party" id="ref-for-relying-party①⑥⑤">Relying Party</a>.</p> + <p>The <a data-link-type="dfn" href="#relying-party" id="ref-for-relying-party①⑥⑤">Relying Party</a> wants to receive an enterprise attestation, which is an <a data-link-type="dfn" href="#attestation-statement" id="ref-for-attestation-statement①⑥">attestation statement</a> that may include information which uniquely identifies the authenticator. This is intended for controlled deployments within an enterprise where the organization wishes to tie registrations to specific authenticators. User agents MUST NOT provide such an attestation unless the user agent or authenticator configuration permits it for the requested <a data-link-type="dfn" href="#rp-id" id="ref-for-rp-id②⑦">RP ID</a>.</p> + <p>If permitted, the user agent SHOULD signal to the authenticator (at <a href="#CreateCred-InvokeAuthnrMakeCred">invocation time</a>) that enterprise attestation is requested, and convey the resulting <a data-link-type="dfn" href="#aaguid" id="ref-for-aaguid①">AAGUID</a> and <a data-link-type="dfn" href="#attestation-statement" id="ref-for-attestation-statement①⑦">attestation statement</a>, unaltered, to the <a data-link-type="dfn" href="#relying-party" id="ref-for-relying-party①⑥⑥">Relying Party</a>.</p> </dl> </div> <h3 class="heading settled" data-level="5.5" id="dictionary-assertion-options"><span class="secno">5.5. </span><span class="content">Options for Assertion Generation (dictionary <dfn class="dfn-paneled idl-code" data-dfn-type="dictionary" data-export id="dictdef-publickeycredentialrequestoptions"><code>PublicKeyCredentialRequestOptions</code></dfn>)</span><a class="self-link" href="#dictionary-assertion-options"></a></h3> @@ -4463,37 +4466,37 @@ <h3 class="heading settled" data-level="5.5" id="dictionary-assertion-options">< <p>This member specifies a challenge that the <a data-link-type="dfn" href="#authenticator" id="ref-for-authenticator①③⑥">authenticator</a> signs, along with other data, when producing an <a data-link-type="dfn" href="#authentication-assertion" id="ref-for-authentication-assertion①②">authentication assertion</a>. See the <a href="#sctn-cryptographic-challenges">§ 13.4.3 Cryptographic Challenges</a> security consideration.</p> <dt data-md><dfn class="dfn-paneled idl-code" data-dfn-for="PublicKeyCredentialRequestOptions" data-dfn-type="dict-member" data-export id="dom-publickeycredentialrequestoptions-timeout"><code>timeout</code></dfn>, <span> of type <a data-link-type="idl-name" href="https://webidl.spec.whatwg.org/#idl-unsigned-long" id="ref-for-idl-unsigned-long⑤">unsigned long</a></span> <dd data-md> - <p>This OPTIONAL member specifies a time, in milliseconds, that the <a data-link-type="dfn" href="#relying-party" id="ref-for-relying-party①⑥⑥">Relying Party</a> is willing to wait for the call to complete. -The value is treated as a hint, and MAY be overridden by the <a data-link-type="dfn" href="#client" id="ref-for-client⑥⑤">client</a>.</p> + <p>This OPTIONAL member specifies a time, in milliseconds, that the <a data-link-type="dfn" href="#relying-party" id="ref-for-relying-party①⑥⑦">Relying Party</a> is willing to wait for the call to complete. +The value is treated as a hint, and MAY be overridden by the <a data-link-type="dfn" href="#client" id="ref-for-client⑥⑥">client</a>.</p> <dt data-md><dfn class="dfn-paneled idl-code" data-dfn-for="PublicKeyCredentialRequestOptions" data-dfn-type="dict-member" data-export id="dom-publickeycredentialrequestoptions-rpid"><code>rpId</code></dfn>, <span> of type <a data-link-type="idl-name" href="https://webidl.spec.whatwg.org/#idl-DOMString" id="ref-for-idl-DOMString⑤⑧">DOMString</a></span> <dd data-md> - <p>This OPTIONAL member specifies the <a data-link-type="dfn" href="#rp-id" id="ref-for-rp-id②⑥">RP ID</a> claimed by the <a data-link-type="dfn" href="#relying-party" id="ref-for-relying-party①⑥⑦">Relying Party</a>. -The <a data-link-type="dfn" href="#client" id="ref-for-client⑥⑥">client</a> MUST verify that the <a data-link-type="dfn" href="#relying-party" id="ref-for-relying-party①⑥⑧">Relying Party</a>'s <a data-link-type="dfn" href="https://html.spec.whatwg.org/multipage/origin.html#concept-origin" id="ref-for-concept-origin①①">origin</a> matches the <a data-link-type="dfn" href="#scope" id="ref-for-scope①②">scope</a> of this <a data-link-type="dfn" href="#rp-id" id="ref-for-rp-id②⑦">RP ID</a>. + <p>This OPTIONAL member specifies the <a data-link-type="dfn" href="#rp-id" id="ref-for-rp-id②⑧">RP ID</a> claimed by the <a data-link-type="dfn" href="#relying-party" id="ref-for-relying-party①⑥⑧">Relying Party</a>. +The <a data-link-type="dfn" href="#client" id="ref-for-client⑥⑦">client</a> MUST verify that the <a data-link-type="dfn" href="#relying-party" id="ref-for-relying-party①⑥⑨">Relying Party</a>'s <a data-link-type="dfn" href="https://html.spec.whatwg.org/multipage/origin.html#concept-origin" id="ref-for-concept-origin①①">origin</a> matches the <a data-link-type="dfn" href="#scope" id="ref-for-scope①②">scope</a> of this <a data-link-type="dfn" href="#rp-id" id="ref-for-rp-id②⑨">RP ID</a>. The <a data-link-type="dfn" href="#authenticator" id="ref-for-authenticator①③⑦">authenticator</a> MUST verify -that this <a data-link-type="dfn" href="#rp-id" id="ref-for-rp-id②⑧">RP ID</a> exactly equals the <a data-link-type="dfn" href="#public-key-credential-source-rpid" id="ref-for-public-key-credential-source-rpid①">rpId</a> of the <a data-link-type="dfn" href="https://w3c.github.io/webappsec-credential-management/#concept-credential" id="ref-for-concept-credential①⑧">credential</a> to be used for the <a data-link-type="dfn" href="#authentication-ceremony" id="ref-for-authentication-ceremony②②">authentication ceremony</a>.</p> +that this <a data-link-type="dfn" href="#rp-id" id="ref-for-rp-id③⓪">RP ID</a> exactly equals the <a data-link-type="dfn" href="#public-key-credential-source-rpid" id="ref-for-public-key-credential-source-rpid①">rpId</a> of the <a data-link-type="dfn" href="https://w3c.github.io/webappsec-credential-management/#concept-credential" id="ref-for-concept-credential①⑧">credential</a> to be used for the <a data-link-type="dfn" href="#authentication-ceremony" id="ref-for-authentication-ceremony②②">authentication ceremony</a>.</p> <p>If not specified, its value will be the <code class="idl"><a data-link-type="idl" href="https://w3c.github.io/webappsec-credential-management/#credentialscontainer" id="ref-for-credentialscontainer③">CredentialsContainer</a></code> object’s <a data-link-type="dfn" href="https://html.spec.whatwg.org/multipage/webappapis.html#relevant-settings-object" id="ref-for-relevant-settings-object④">relevant settings object</a>'s <a data-link-type="dfn" href="https://html.spec.whatwg.org/multipage/webappapis.html#concept-settings-object-origin" id="ref-for-concept-settings-object-origin⑧">origin</a>'s <a data-link-type="dfn" href="https://html.spec.whatwg.org/multipage/browsers.html#concept-origin-effective-domain" id="ref-for-concept-origin-effective-domain①⑧">effective domain</a>.</p> <dt data-md><dfn class="dfn-paneled idl-code" data-dfn-for="PublicKeyCredentialRequestOptions" data-dfn-type="dict-member" data-export id="dom-publickeycredentialrequestoptions-allowcredentials"><code>allowCredentials</code></dfn>, <span> of type sequence<<a data-link-type="idl-name" href="#dictdef-publickeycredentialdescriptor" id="ref-for-dictdef-publickeycredentialdescriptor⑧">PublicKeyCredentialDescriptor</a>>, defaulting to <code>[]</code></span> <dd data-md> - <p>This OPTIONAL member is used by the <a data-link-type="dfn" href="#client" id="ref-for-client⑥⑦">client</a> to find <a data-link-type="dfn" href="#authenticator" id="ref-for-authenticator①③⑧">authenticators</a> eligible for this <a data-link-type="dfn" href="#authentication-ceremony" id="ref-for-authentication-ceremony②③">authentication ceremony</a>. + <p>This OPTIONAL member is used by the <a data-link-type="dfn" href="#client" id="ref-for-client⑥⑧">client</a> to find <a data-link-type="dfn" href="#authenticator" id="ref-for-authenticator①③⑧">authenticators</a> eligible for this <a data-link-type="dfn" href="#authentication-ceremony" id="ref-for-authentication-ceremony②③">authentication ceremony</a>. It can be used in two ways:</p> <ul> <li data-md> <p>If the <a data-link-type="dfn" href="#user-account" id="ref-for-user-account②④">user account</a> to authenticate is already identified (e.g., if the user has entered a username), -then the <a data-link-type="dfn" href="#relying-party" id="ref-for-relying-party①⑥⑨">Relying Party</a> SHOULD use this member to list <a data-link-type="dfn" href="#credential-descriptor-for-a-credential-record" id="ref-for-credential-descriptor-for-a-credential-record">credential descriptors for credential records</a> in the <a data-link-type="dfn" href="#user-account" id="ref-for-user-account②⑤">user account</a>. +then the <a data-link-type="dfn" href="#relying-party" id="ref-for-relying-party①⑦⓪">Relying Party</a> SHOULD use this member to list <a data-link-type="dfn" href="#credential-descriptor-for-a-credential-record" id="ref-for-credential-descriptor-for-a-credential-record">credential descriptors for credential records</a> in the <a data-link-type="dfn" href="#user-account" id="ref-for-user-account②⑤">user account</a>. This SHOULD usually include all <a data-link-type="dfn" href="#credential-record" id="ref-for-credential-record⑥">credential records</a> in the <a data-link-type="dfn" href="#user-account" id="ref-for-user-account②⑥">user account</a>.</p> <p>The <a data-link-type="dfn" href="https://infra.spec.whatwg.org/#list-item" id="ref-for-list-item⑧">items</a> SHOULD specify <code class="idl"><a data-link-type="idl" href="#dom-publickeycredentialdescriptor-transports" id="ref-for-dom-publickeycredentialdescriptor-transports⑨">transports</a></code> whenever possible. -This helps the <a data-link-type="dfn" href="#client" id="ref-for-client⑥⑧">client</a> optimize the user experience for any given situation. -Also note that the <a data-link-type="dfn" href="#relying-party" id="ref-for-relying-party①⑦⓪">Relying Party</a> does not need to filter the list when requesting <a data-link-type="dfn" href="#user-verification" id="ref-for-user-verification②⑤">user verification</a> — -the <a data-link-type="dfn" href="#client" id="ref-for-client⑥⑨">client</a> will automatically ignore non-eligible credentials +This helps the <a data-link-type="dfn" href="#client" id="ref-for-client⑥⑨">client</a> optimize the user experience for any given situation. +Also note that the <a data-link-type="dfn" href="#relying-party" id="ref-for-relying-party①⑦①">Relying Party</a> does not need to filter the list when requesting <a data-link-type="dfn" href="#user-verification" id="ref-for-user-verification②⑤">user verification</a> — +the <a data-link-type="dfn" href="#client" id="ref-for-client⑦⓪">client</a> will automatically ignore non-eligible credentials if <code class="idl"><a data-link-type="idl" href="#dom-publickeycredentialrequestoptions-userverification" id="ref-for-dom-publickeycredentialrequestoptions-userverification③">userVerification</a></code> is set to <code class="idl"><a data-link-type="idl" href="#dom-userverificationrequirement-required" id="ref-for-dom-userverificationrequirement-required⑤">required</a></code>.</p> <p>See also the <a href="#sctn-credential-id-privacy-leak">§ 14.6.3 Privacy leak via credential IDs</a> privacy consideration.</p> <li data-md> <p>If the <a data-link-type="dfn" href="#user-account" id="ref-for-user-account②⑦">user account</a> to authenticate is not already identified, -then the <a data-link-type="dfn" href="#relying-party" id="ref-for-relying-party①⑦①">Relying Party</a> MAY leave this member <a data-link-type="dfn" href="https://infra.spec.whatwg.org/#list-empty" id="ref-for-list-empty⑤">empty</a> or unspecified. +then the <a data-link-type="dfn" href="#relying-party" id="ref-for-relying-party①⑦②">Relying Party</a> MAY leave this member <a data-link-type="dfn" href="https://infra.spec.whatwg.org/#list-empty" id="ref-for-list-empty⑤">empty</a> or unspecified. In this case, only <a data-link-type="dfn" href="#discoverable-credential" id="ref-for-discoverable-credential①①">discoverable credentials</a> will be utilized in this <a data-link-type="dfn" href="#authentication-ceremony" id="ref-for-authentication-ceremony②④">authentication ceremony</a>, and the <a data-link-type="dfn" href="#user-account" id="ref-for-user-account②⑧">user account</a> MAY be identified by the <code class="idl"><a data-link-type="idl" href="#dom-authenticatorassertionresponse-userhandle" id="ref-for-dom-authenticatorassertionresponse-userhandle⑤">userHandle</a></code> of the resulting <code class="idl"><a data-link-type="idl" href="#authenticatorassertionresponse" id="ref-for-authenticatorassertionresponse⑤">AuthenticatorAssertionResponse</a></code>. -If the available <a data-link-type="dfn" href="#authenticator" id="ref-for-authenticator①③⑨">authenticators</a> <a data-link-type="dfn" href="#contains" id="ref-for-contains②">contain</a> more than one <a data-link-type="dfn" href="#discoverable-credential" id="ref-for-discoverable-credential①②">discoverable credential</a> <a data-link-type="dfn" href="#scope" id="ref-for-scope①③">scoped</a> to the <a data-link-type="dfn" href="#relying-party" id="ref-for-relying-party①⑦②">Relying Party</a>, +If the available <a data-link-type="dfn" href="#authenticator" id="ref-for-authenticator①③⑨">authenticators</a> <a data-link-type="dfn" href="#contains" id="ref-for-contains②">contain</a> more than one <a data-link-type="dfn" href="#discoverable-credential" id="ref-for-discoverable-credential①②">discoverable credential</a> <a data-link-type="dfn" href="#scope" id="ref-for-scope①③">scoped</a> to the <a data-link-type="dfn" href="#relying-party" id="ref-for-relying-party①⑦③">Relying Party</a>, the credentials are displayed by the <a data-link-type="dfn" href="#client-platform" id="ref-for-client-platform④①">client platform</a> or <a data-link-type="dfn" href="#authenticator" id="ref-for-authenticator①④⓪">authenticator</a> for the user to select from (see <a href="#authenticatorGetAssertion-prompt-select-credential">step 7</a> of <a href="#sctn-op-get-assertion">§ 6.3.3 The authenticatorGetAssertion Operation</a>).</p> </ul> <p>If not <a data-link-type="dfn" href="https://infra.spec.whatwg.org/#list-empty" id="ref-for-list-empty⑥">empty</a>, the client MUST return an error if none of the listed credentials can be used.</p> @@ -4501,14 +4504,14 @@ <h3 class="heading settled" data-level="5.5" id="dictionary-assertion-options">< preferred credential, and the last is the least preferred.</p> <dt data-md><dfn class="dfn-paneled idl-code" data-dfn-for="PublicKeyCredentialRequestOptions" data-dfn-type="dict-member" data-export id="dom-publickeycredentialrequestoptions-userverification"><code>userVerification</code></dfn>, <span> of type <a data-link-type="idl-name" href="https://webidl.spec.whatwg.org/#idl-DOMString" id="ref-for-idl-DOMString⑤⑨">DOMString</a>, defaulting to <code>"preferred"</code></span> <dd data-md> - <p>This OPTIONAL member specifies the <a data-link-type="dfn" href="#relying-party" id="ref-for-relying-party①⑦③">Relying Party</a>'s requirements regarding <a data-link-type="dfn" href="#user-verification" id="ref-for-user-verification②⑥">user verification</a> for the <code class="idl"><a data-link-type="idl" href="https://w3c.github.io/webappsec-credential-management/#dom-credentialscontainer-get" id="ref-for-dom-credentialscontainer-get②⑥">get()</a></code> operation. The value SHOULD be a member of <code class="idl"><a data-link-type="idl" href="#enumdef-userverificationrequirement" id="ref-for-enumdef-userverificationrequirement②">UserVerificationRequirement</a></code> but <a data-link-type="dfn" href="#client-platform" id="ref-for-client-platform④②">client platforms</a> MUST ignore unknown values, treating an unknown value as if the <a data-link-type="dfn" href="https://infra.spec.whatwg.org/#map-exists" id="ref-for-map-exists⑤">member does not exist</a>. Eligible authenticators are filtered to only those capable of satisfying this requirement.</p> + <p>This OPTIONAL member specifies the <a data-link-type="dfn" href="#relying-party" id="ref-for-relying-party①⑦④">Relying Party</a>'s requirements regarding <a data-link-type="dfn" href="#user-verification" id="ref-for-user-verification②⑥">user verification</a> for the <code class="idl"><a data-link-type="idl" href="https://w3c.github.io/webappsec-credential-management/#dom-credentialscontainer-get" id="ref-for-dom-credentialscontainer-get②⑥">get()</a></code> operation. The value SHOULD be a member of <code class="idl"><a data-link-type="idl" href="#enumdef-userverificationrequirement" id="ref-for-enumdef-userverificationrequirement②">UserVerificationRequirement</a></code> but <a data-link-type="dfn" href="#client-platform" id="ref-for-client-platform④②">client platforms</a> MUST ignore unknown values, treating an unknown value as if the <a data-link-type="dfn" href="https://infra.spec.whatwg.org/#map-exists" id="ref-for-map-exists⑤">member does not exist</a>. Eligible authenticators are filtered to only those capable of satisfying this requirement.</p> <p>See <code class="idl"><a data-link-type="idl" href="#enumdef-userverificationrequirement" id="ref-for-enumdef-userverificationrequirement③">UserVerificationRequirement</a></code> for the description of <code class="idl"><a data-link-type="idl" href="#dom-authenticatorselectioncriteria-userverification" id="ref-for-dom-authenticatorselectioncriteria-userverification⑥">userVerification</a></code>'s values and semantics.</p> <dt data-md><dfn class="dfn-paneled idl-code" data-dfn-for="PublicKeyCredentialRequestOptions" data-dfn-type="dict-member" data-export id="dom-publickeycredentialrequestoptions-hints"><code>hints</code></dfn>, <span> of type sequence<<a data-link-type="idl-name" href="https://webidl.spec.whatwg.org/#idl-DOMString" id="ref-for-idl-DOMString⑥⓪">DOMString</a>>, defaulting to <code>[]</code></span> <dd data-md> <p>This OPTIONAL member contains zero or more elements from <code class="idl"><a data-link-type="idl" href="#enumdef-publickeycredentialhint" id="ref-for-enumdef-publickeycredentialhint①">PublicKeyCredentialHint</a></code> to guide the user agent in interacting with the user. Note that the elements have type <code>DOMString</code> despite being taken from that enumeration. See <a href="#sct-domstring-backwards-compatibility">§ 2.1.1 Enumerations as DOMString types</a>.</p> <dt data-md><dfn class="dfn-paneled idl-code" data-dfn-for="PublicKeyCredentialRequestOptions" data-dfn-type="dict-member" data-export id="dom-publickeycredentialrequestoptions-extensions"><code>extensions</code></dfn>, <span> of type <a data-link-type="idl-name" href="#dictdef-authenticationextensionsclientinputs" id="ref-for-dictdef-authenticationextensionsclientinputs③">AuthenticationExtensionsClientInputs</a></span> <dd data-md> - <p>The <a data-link-type="dfn" href="#relying-party" id="ref-for-relying-party①⑦④">Relying Party</a> MAY use this OPTIONAL member to provide <a data-link-type="dfn" href="#client-extension-input" id="ref-for-client-extension-input③">client extension inputs</a> requesting additional processing by the <a data-link-type="dfn" href="#client" id="ref-for-client⑦⓪">client</a> and <a data-link-type="dfn" href="#authenticator" id="ref-for-authenticator①④①">authenticator</a>.</p> + <p>The <a data-link-type="dfn" href="#relying-party" id="ref-for-relying-party①⑦⑤">Relying Party</a> MAY use this OPTIONAL member to provide <a data-link-type="dfn" href="#client-extension-input" id="ref-for-client-extension-input③">client extension inputs</a> requesting additional processing by the <a data-link-type="dfn" href="#client" id="ref-for-client⑦①">client</a> and <a data-link-type="dfn" href="#authenticator" id="ref-for-authenticator①④①">authenticator</a>.</p> <p>The extensions framework is defined in <a href="#sctn-extensions">§ 9 WebAuthn Extensions</a>. Some extensions are defined in <a href="#sctn-defined-extensions">§ 10 Defined Extensions</a>; consult the IANA "WebAuthn Extension Identifiers" registry <a data-link-type="biblio" href="#biblio-iana-webauthn-registries" title="Web Authentication (WebAuthn) registries">[IANA-WebAuthn-Registries]</a> established by <a data-link-type="biblio" href="#biblio-rfc8809" title="Registries for Web Authentication (WebAuthn)">[RFC8809]</a> for an up-to-date list @@ -4550,7 +4553,7 @@ <h4 class="heading settled" data-level="5.7.3" id="iface-authentication-extensio <p>The <a data-link-type="dfn" href="#cddl" id="ref-for-cddl">CDDL</a> type <code>AuthenticationExtensionsAuthenticatorInputs</code> defines a <a data-link-type="dfn" href="#cbor" id="ref-for-cbor⑤">CBOR</a> map containing the <a data-link-type="dfn" href="#authenticator-extension-input" id="ref-for-authenticator-extension-input">authenticator extension input</a> values for zero or more <a data-link-type="dfn" href="#webauthn-extensions" id="ref-for-webauthn-extensions⑧">WebAuthn Extensions</a>. Extensions can add members as described in <a href="#sctn-extension-request-parameters">§ 9.3 Extending Request Parameters</a>.</p> - <p>This type is not exposed to the <a data-link-type="dfn" href="#relying-party" id="ref-for-relying-party①⑦⑤">Relying Party</a>, but is used by the <a data-link-type="dfn" href="#client" id="ref-for-client⑦①">client</a> and <a data-link-type="dfn" href="#authenticator" id="ref-for-authenticator①④②">authenticator</a>.</p> + <p>This type is not exposed to the <a data-link-type="dfn" href="#relying-party" id="ref-for-relying-party①⑦⑥">Relying Party</a>, but is used by the <a data-link-type="dfn" href="#client" id="ref-for-client⑦②">client</a> and <a data-link-type="dfn" href="#authenticator" id="ref-for-authenticator①④②">authenticator</a>.</p> <h4 class="heading settled" data-level="5.7.4" id="iface-authentication-extensions-authenticator-outputs"><span class="secno">5.7.4. </span><span class="content">Authentication Extensions Authenticator Outputs (CDDL type <code>AuthenticationExtensionsAuthenticatorOutputs</code>)</span><a class="self-link" href="#iface-authentication-extensions-authenticator-outputs"></a></h4> <pre>AuthenticationExtensionsAuthenticatorOutputs = { * $$extensionOutput .within ( tstr => any ) @@ -4563,7 +4566,7 @@ <h3 class="heading settled" data-level="5.8" id="sctn-supporting-data-structures <p>The <a data-link-type="dfn" href="#public-key-credential" id="ref-for-public-key-credential③⑦">public key credential</a> type uses certain data structures that are specified in supporting specifications. These are as follows.</p> <h4 class="heading settled" data-level="5.8.1" id="dictionary-client-data"><span class="secno">5.8.1. </span><span class="content">Client Data Used in <a data-link-type="dfn" href="#webauthn-signature" id="ref-for-webauthn-signature">WebAuthn Signatures</a> (dictionary <dfn class="dfn-paneled idl-code" data-dfn-type="dictionary" data-export id="dictdef-collectedclientdata"><code>CollectedClientData</code></dfn>)</span><a class="self-link" href="#dictionary-client-data"></a></h4> - <p>The <dfn class="dfn-paneled" data-dfn-type="dfn" data-noexport id="client-data">client data</dfn> represents the contextual bindings of both the <a data-link-type="dfn" href="#webauthn-relying-party" id="ref-for-webauthn-relying-party④⓪">WebAuthn Relying Party</a> and the <a data-link-type="dfn" href="#client" id="ref-for-client⑦②">client</a>. It is a key-value + <p>The <dfn class="dfn-paneled" data-dfn-type="dfn" data-noexport id="client-data">client data</dfn> represents the contextual bindings of both the <a data-link-type="dfn" href="#webauthn-relying-party" id="ref-for-webauthn-relying-party④⓪">WebAuthn Relying Party</a> and the <a data-link-type="dfn" href="#client" id="ref-for-client⑦③">client</a>. It is a key-value mapping whose keys are strings. Values can be any type that has a valid encoding in JSON. Its structure is defined by the following Web IDL.</p> <p class="note" role="note"><span class="marker">Note:</span> The <code class="idl"><a data-link-type="idl" href="#dictdef-collectedclientdata" id="ref-for-dictdef-collectedclientdata②">CollectedClientData</a></code> may be extended in the future. Therefore it’s critical when parsing to be tolerant of unknown keys and of any reordering of the keys. See also <a href="#clientdatajson-verification">§ 5.8.1.2 Limited Verification Algorithm</a>.</p> @@ -4591,7 +4594,7 @@ <h4 class="heading settled" data-level="5.8.1" id="dictionary-client-data"><span attacks (where an attacker substitutes one legitimate signature for another).</p> <dt data-md><dfn class="dfn-paneled idl-code" data-dfn-for="CollectedClientData" data-dfn-type="dict-member" data-export id="dom-collectedclientdata-challenge"><code>challenge</code></dfn>, <span> of type <a data-link-type="idl-name" href="https://webidl.spec.whatwg.org/#idl-DOMString" id="ref-for-idl-DOMString⑥⑧">DOMString</a></span> <dd data-md> - <p>This member contains the base64url encoding of the challenge provided by the <a data-link-type="dfn" href="#relying-party" id="ref-for-relying-party①⑦⑥">Relying Party</a>. See the <a href="#sctn-cryptographic-challenges">§ 13.4.3 Cryptographic Challenges</a> security consideration.</p> + <p>This member contains the base64url encoding of the challenge provided by the <a data-link-type="dfn" href="#relying-party" id="ref-for-relying-party①⑦⑦">Relying Party</a>. See the <a href="#sctn-cryptographic-challenges">§ 13.4.3 Cryptographic Challenges</a> security consideration.</p> <dt data-md><dfn class="dfn-paneled idl-code" data-dfn-for="CollectedClientData" data-dfn-type="dict-member" data-export id="dom-collectedclientdata-origin"><code>origin</code></dfn>, <span> of type <a data-link-type="idl-name" href="https://webidl.spec.whatwg.org/#idl-DOMString" id="ref-for-idl-DOMString⑥⑨">DOMString</a></span> <dd data-md> <p>This member contains the fully qualified <a data-link-type="dfn" href="https://html.spec.whatwg.org/multipage/origin.html#concept-origin" id="ref-for-concept-origin①②">origin</a> of the requester, as provided to the authenticator by the client, in @@ -4608,7 +4611,7 @@ <h4 class="heading settled" data-level="5.8.1" id="dictionary-client-data"><span <dt data-md>[RESERVED] <dfn class="dfn-paneled" data-dfn-for="CollectedClientData" data-dfn-type="dfn" data-noexport id="dom-collectedclientdata-tokenbinding">tokenBinding</dfn> <dd data-md> <p>This OPTIONAL member contains information about the state of the <a data-link-type="dfn" href="https://tools.ietf.org/html/rfc8471#section-1" id="ref-for-section-1">Token Binding</a> protocol <a data-link-type="biblio" href="#biblio-tokenbinding" title="The Token Binding Protocol Version 1.0">[TokenBinding]</a> used when communicating -with the <a data-link-type="dfn" href="#relying-party" id="ref-for-relying-party①⑦⑦">Relying Party</a>. Its absence indicates that the client doesn’t support token binding</p> +with the <a data-link-type="dfn" href="#relying-party" id="ref-for-relying-party①⑦⑧">Relying Party</a>. Its absence indicates that the client doesn’t support token binding</p> <p class="note" role="note"><span class="marker">Note:</span> While <a data-link-type="dfn" href="https://tools.ietf.org/html/rfc8471#section-1" id="ref-for-section-1①">Token Binding</a> was present in Level 1 and Level 2 of WebAuthn, its use is not expected in Level 3. The <a data-link-type="dfn" href="#dom-collectedclientdata-tokenbinding" id="ref-for-dom-collectedclientdata-tokenbinding">tokenBinding</a> field is reserved so that it will not be reused for a different purpose.</p> <div> <dl> @@ -4619,17 +4622,17 @@ <h4 class="heading settled" data-level="5.8.1" id="dictionary-client-data"><span <dl> <dt data-md><dfn class="dfn-paneled idl-code" data-dfn-for="TokenBindingStatus" data-dfn-type="enum-value" data-export data-lt=""supported"|supported" id="dom-tokenbindingstatus-supported"><code>supported</code></dfn> <dd data-md> - <p>Indicates the client supports token binding, but it was not negotiated when communicating with the <a data-link-type="dfn" href="#relying-party" id="ref-for-relying-party①⑦⑧">Relying Party</a>.</p> + <p>Indicates the client supports token binding, but it was not negotiated when communicating with the <a data-link-type="dfn" href="#relying-party" id="ref-for-relying-party①⑦⑨">Relying Party</a>.</p> <dt data-md><dfn class="dfn-paneled idl-code" data-dfn-for="TokenBindingStatus" data-dfn-type="enum-value" data-export data-lt=""present"|present" id="dom-tokenbindingstatus-present"><code>present</code></dfn> <dd data-md> - <p>Indicates token binding was used when communicating with the <a data-link-type="dfn" href="#relying-party" id="ref-for-relying-party①⑦⑨">Relying Party</a>. In this case, the <code class="idl"><a data-link-type="idl" href="#dom-tokenbinding-id" id="ref-for-dom-tokenbinding-id①">id</a></code> member MUST be present.</p> + <p>Indicates token binding was used when communicating with the <a data-link-type="dfn" href="#relying-party" id="ref-for-relying-party①⑧⓪">Relying Party</a>. In this case, the <code class="idl"><a data-link-type="idl" href="#dom-tokenbinding-id" id="ref-for-dom-tokenbinding-id①">id</a></code> member MUST be present.</p> </dl> </div> <p class="note" role="note"><span class="marker">Note:</span> The <code class="idl"><a data-link-type="idl" href="#enumdef-tokenbindingstatus" id="ref-for-enumdef-tokenbindingstatus①">TokenBindingStatus</a></code> enumeration is deliberately not referenced, see <a href="#sct-domstring-backwards-compatibility">§ 2.1.1 Enumerations as DOMString types</a>.</p> <dt data-md><dfn class="dfn-paneled idl-code" data-dfn-for="TokenBinding" data-dfn-type="dict-member" data-export id="dom-tokenbinding-id"><code>id</code></dfn>, <span> of type <a data-link-type="idl-name" href="https://webidl.spec.whatwg.org/#idl-DOMString" id="ref-for-idl-DOMString⑦②">DOMString</a></span> <dd data-md> <p>This member MUST be present if <code class="idl"><a data-link-type="idl" href="#dom-tokenbinding-status" id="ref-for-dom-tokenbinding-status①">status</a></code> is <code class="idl"><a data-link-type="idl" href="#dom-tokenbindingstatus-present" id="ref-for-dom-tokenbindingstatus-present①">present</a></code>, and MUST be a <a data-link-type="dfn" href="#base64url-encoding" id="ref-for-base64url-encoding①⑨">base64url -encoding</a> of the <a data-link-type="dfn" href="https://tools.ietf.org/html/rfc8471#section-3.2" id="ref-for-section-3.2">Token Binding ID</a> that was used when communicating with the <a data-link-type="dfn" href="#relying-party" id="ref-for-relying-party①⑧⓪">Relying Party</a>.</p> +encoding</a> of the <a data-link-type="dfn" href="https://tools.ietf.org/html/rfc8471#section-3.2" id="ref-for-section-3.2">Token Binding ID</a> that was used when communicating with the <a data-link-type="dfn" href="#relying-party" id="ref-for-relying-party①⑧①">Relying Party</a>.</p> </dl> </div> <p class="note" role="note"><span class="marker">Note:</span> Obtaining a <a data-link-type="dfn" href="https://tools.ietf.org/html/rfc8471#section-3.2" id="ref-for-section-3.2①">Token Binding ID</a> is a <a data-link-type="dfn" href="#client-platform" id="ref-for-client-platform④④">client platform</a>-specific operation.</p> @@ -4840,7 +4843,7 @@ <h4 class="heading settled" data-level="5.8.3" id="dictionary-credential-descrip </pre> <p>This dictionary identifies a specific <a data-link-type="dfn" href="#public-key-credential" id="ref-for-public-key-credential③⑧">public key credential</a>. It is used in <code class="idl"><a data-link-type="idl" href="https://w3c.github.io/webappsec-credential-management/#dom-credentialscontainer-create" id="ref-for-dom-credentialscontainer-create②②">create()</a></code> to prevent creating duplicate credentials on the same <a data-link-type="dfn" href="#authenticator" id="ref-for-authenticator①④③">authenticator</a>, -and in <code class="idl"><a data-link-type="idl" href="https://w3c.github.io/webappsec-credential-management/#dom-credentialscontainer-get" id="ref-for-dom-credentialscontainer-get②⑦">get()</a></code> to determine if and how the credential can currently be reached by the <a data-link-type="dfn" href="#client" id="ref-for-client⑦③">client</a>.</p> +and in <code class="idl"><a data-link-type="idl" href="https://w3c.github.io/webappsec-credential-management/#dom-credentialscontainer-get" id="ref-for-dom-credentialscontainer-get②⑦">get()</a></code> to determine if and how the credential can currently be reached by the <a data-link-type="dfn" href="#client" id="ref-for-client⑦④">client</a>.</p> <p>The <a data-link-type="dfn" href="#credential-descriptor-for-a-credential-record" id="ref-for-credential-descriptor-for-a-credential-record①">credential descriptor for a credential record</a> is a subset of the properties of that <a data-link-type="dfn" href="#credential-record" id="ref-for-credential-record⑦">credential record</a>, and mirrors some fields of the <code class="idl"><a data-link-type="idl" href="#publickeycredential" id="ref-for-publickeycredential②③">PublicKeyCredential</a></code> object returned by <code class="idl"><a data-link-type="idl" href="https://w3c.github.io/webappsec-credential-management/#dom-credentialscontainer-create" id="ref-for-dom-credentialscontainer-create②③">create()</a></code> and <code class="idl"><a data-link-type="idl" href="https://w3c.github.io/webappsec-credential-management/#dom-credentialscontainer-get" id="ref-for-dom-credentialscontainer-get②⑧">get()</a></code>.</p> <div> @@ -4858,7 +4861,7 @@ <h4 class="heading settled" data-level="5.8.3" id="dictionary-credential-descrip This mirrors the <code class="idl"><a data-link-type="idl" href="#dom-publickeycredential-rawid" id="ref-for-dom-publickeycredential-rawid①">rawId</a></code> field of <code class="idl"><a data-link-type="idl" href="#publickeycredential" id="ref-for-publickeycredential②⑤">PublicKeyCredential</a></code>.</p> <dt data-md><dfn class="dfn-paneled idl-code" data-dfn-for="PublicKeyCredentialDescriptor" data-dfn-type="dict-member" data-export id="dom-publickeycredentialdescriptor-transports"><code>transports</code></dfn>, <span> of type sequence<<a data-link-type="idl-name" href="https://webidl.spec.whatwg.org/#idl-DOMString" id="ref-for-idl-DOMString⑦⑥">DOMString</a>></span> <dd data-md> - <p>This OPTIONAL member contains a hint as to how the <a data-link-type="dfn" href="#client" id="ref-for-client⑦④">client</a> might communicate with the <a data-link-type="dfn" href="#public-key-credential-source-managing-authenticator" id="ref-for-public-key-credential-source-managing-authenticator①①">managing authenticator</a> of the <a data-link-type="dfn" href="#public-key-credential" id="ref-for-public-key-credential④①">public key credential</a> the caller is referring to. The values SHOULD be members of <code class="idl"><a data-link-type="idl" href="#enumdef-authenticatortransport" id="ref-for-enumdef-authenticatortransport②">AuthenticatorTransport</a></code> but <a data-link-type="dfn" href="#client-platform" id="ref-for-client-platform④⑥">client platforms</a> MUST ignore unknown values.</p> + <p>This OPTIONAL member contains a hint as to how the <a data-link-type="dfn" href="#client" id="ref-for-client⑦⑤">client</a> might communicate with the <a data-link-type="dfn" href="#public-key-credential-source-managing-authenticator" id="ref-for-public-key-credential-source-managing-authenticator①①">managing authenticator</a> of the <a data-link-type="dfn" href="#public-key-credential" id="ref-for-public-key-credential④①">public key credential</a> the caller is referring to. The values SHOULD be members of <code class="idl"><a data-link-type="idl" href="#enumdef-authenticatortransport" id="ref-for-enumdef-authenticatortransport②">AuthenticatorTransport</a></code> but <a data-link-type="dfn" href="#client-platform" id="ref-for-client-platform④⑥">client platforms</a> MUST ignore unknown values.</p> <p>This SHOULD be set to the value of the <a data-link-type="abstract-op" href="#abstract-opdef-credential-record-transports" id="ref-for-abstract-opdef-credential-record-transports①">transports</a> item of the <a data-link-type="dfn" href="#credential-record" id="ref-for-credential-record①⓪">credential record</a> representing the identified <a data-link-type="dfn" href="#public-key-credential-source" id="ref-for-public-key-credential-source④⑨">public key credential source</a>. This mirrors the <code><code class="idl"><a data-link-type="idl" href="#dom-publickeycredential-response" id="ref-for-dom-publickeycredential-response④">response</a></code>.<code class="idl"><a data-link-type="idl" href="#dom-authenticatorattestationresponse-gettransports" id="ref-for-dom-authenticatorattestationresponse-gettransports④">getTransports()</a></code></code> method of the <code class="idl"><a data-link-type="idl" href="#publickeycredential" id="ref-for-publickeycredential②⑥">PublicKeyCredential</a></code> structure created by a <code class="idl"><a data-link-type="idl" href="https://w3c.github.io/webappsec-credential-management/#dom-credentialscontainer-create" id="ref-for-dom-credentialscontainer-create②④">create()</a></code> operation.</p> @@ -4876,9 +4879,9 @@ <h4 class="heading settled" data-level="5.8.4" id="enum-transport"><span class=" </pre> <p class="note" role="note"><span class="marker">Note:</span> The <code class="idl"><a data-link-type="idl" href="#enumdef-authenticatortransport" id="ref-for-enumdef-authenticatortransport④">AuthenticatorTransport</a></code> enumeration is deliberately not referenced, see <a href="#sct-domstring-backwards-compatibility">§ 2.1.1 Enumerations as DOMString types</a>.</p> <div> - <a data-link-type="dfn" href="#authenticator" id="ref-for-authenticator①④④">Authenticators</a> may implement various <a href="#enum-transport">transports</a> for communicating with <a data-link-type="dfn" href="#client" id="ref-for-client⑦⑤">clients</a>. This enumeration + <a data-link-type="dfn" href="#authenticator" id="ref-for-authenticator①④④">Authenticators</a> may implement various <a href="#enum-transport">transports</a> for communicating with <a data-link-type="dfn" href="#client" id="ref-for-client⑦⑥">clients</a>. This enumeration defines hints as to how clients might communicate with a particular authenticator in order to obtain an assertion for a - specific credential. Note that these hints represent the <a data-link-type="dfn" href="#webauthn-relying-party" id="ref-for-webauthn-relying-party④①">WebAuthn Relying Party</a>'s best belief as to how an authenticator may be reached. A <a data-link-type="dfn" href="#relying-party" id="ref-for-relying-party①⑧①">Relying Party</a> will typically learn of the supported transports for a <a data-link-type="dfn" href="#public-key-credential" id="ref-for-public-key-credential④②">public key credential</a> via <code class="idl"><a data-link-type="idl" href="#dom-authenticatorattestationresponse-gettransports" id="ref-for-dom-authenticatorattestationresponse-gettransports⑤">getTransports()</a></code>. + specific credential. Note that these hints represent the <a data-link-type="dfn" href="#webauthn-relying-party" id="ref-for-webauthn-relying-party④①">WebAuthn Relying Party</a>'s best belief as to how an authenticator may be reached. A <a data-link-type="dfn" href="#relying-party" id="ref-for-relying-party①⑧②">Relying Party</a> will typically learn of the supported transports for a <a data-link-type="dfn" href="#public-key-credential" id="ref-for-public-key-credential④②">public key credential</a> via <code class="idl"><a data-link-type="idl" href="#dom-authenticatorattestationresponse-gettransports" id="ref-for-dom-authenticatorattestationresponse-gettransports⑤">getTransports()</a></code>. <dl> <dt data-md><dfn class="dfn-paneled idl-code" data-dfn-for="AuthenticatorTransport" data-dfn-type="enum-value" data-export data-lt=""usb"|usb" id="dom-authenticatortransport-usb"><code>usb</code></dfn> <dd data-md> @@ -4937,16 +4940,16 @@ <h4 class="heading settled" data-level="5.8.6" id="enum-userVerificationRequirem <dl> <dt data-md><dfn class="dfn-paneled idl-code" data-dfn-for="UserVerificationRequirement" data-dfn-type="enum-value" data-export data-lt=""required"|required" id="dom-userverificationrequirement-required"><code>required</code></dfn> <dd data-md> - <p>The <a data-link-type="dfn" href="#relying-party" id="ref-for-relying-party①⑧②">Relying Party</a> requires <a data-link-type="dfn" href="#user-verification" id="ref-for-user-verification②⑧">user verification</a> for the operation and will fail the overall <a data-link-type="dfn" href="#ceremony" id="ref-for-ceremony①①">ceremony</a> if the + <p>The <a data-link-type="dfn" href="#relying-party" id="ref-for-relying-party①⑧③">Relying Party</a> requires <a data-link-type="dfn" href="#user-verification" id="ref-for-user-verification②⑧">user verification</a> for the operation and will fail the overall <a data-link-type="dfn" href="#ceremony" id="ref-for-ceremony①①">ceremony</a> if the response does not have the <a data-link-type="dfn" href="#authdata-flags-uv" id="ref-for-authdata-flags-uv⑤">UV</a> <a data-link-type="dfn" href="#authdata-flags" id="ref-for-authdata-flags⑨">flag</a> set. -The <a data-link-type="dfn" href="#client" id="ref-for-client⑦⑥">client</a> MUST return an error if <a data-link-type="dfn" href="#user-verification" id="ref-for-user-verification②⑨">user verification</a> cannot be performed.</p> +The <a data-link-type="dfn" href="#client" id="ref-for-client⑦⑦">client</a> MUST return an error if <a data-link-type="dfn" href="#user-verification" id="ref-for-user-verification②⑨">user verification</a> cannot be performed.</p> <dt data-md><dfn class="dfn-paneled idl-code" data-dfn-for="UserVerificationRequirement" data-dfn-type="enum-value" data-export data-lt=""preferred"|preferred" id="dom-userverificationrequirement-preferred"><code>preferred</code></dfn> <dd data-md> - <p>The <a data-link-type="dfn" href="#relying-party" id="ref-for-relying-party①⑧③">Relying Party</a> prefers <a data-link-type="dfn" href="#user-verification" id="ref-for-user-verification③⓪">user verification</a> for the operation if possible, but will not fail the + <p>The <a data-link-type="dfn" href="#relying-party" id="ref-for-relying-party①⑧④">Relying Party</a> prefers <a data-link-type="dfn" href="#user-verification" id="ref-for-user-verification③⓪">user verification</a> for the operation if possible, but will not fail the operation if the response does not have the <a data-link-type="dfn" href="#authdata-flags-uv" id="ref-for-authdata-flags-uv⑥">UV</a> <a data-link-type="dfn" href="#authdata-flags" id="ref-for-authdata-flags①⓪">flag</a> set.</p> <dt data-md><dfn class="dfn-paneled idl-code" data-dfn-for="UserVerificationRequirement" data-dfn-type="enum-value" data-export data-lt=""discouraged"|discouraged" id="dom-userverificationrequirement-discouraged"><code>discouraged</code></dfn> <dd data-md> - <p>The <a data-link-type="dfn" href="#relying-party" id="ref-for-relying-party①⑧④">Relying Party</a> does not want <a data-link-type="dfn" href="#user-verification" id="ref-for-user-verification③①">user verification</a> employed during the operation (e.g., in the + <p>The <a data-link-type="dfn" href="#relying-party" id="ref-for-relying-party①⑧⑤">Relying Party</a> does not want <a data-link-type="dfn" href="#user-verification" id="ref-for-user-verification③①">user verification</a> employed during the operation (e.g., in the interest of minimizing disruption to the user interaction flow).</p> </dl> </div> @@ -4964,7 +4967,7 @@ <h4 class="heading settled" data-level="5.8.7" id="enum-clientCapability"><span }; </pre> <p>This enumeration defines a limited set of client capabilities which a <a data-link-type="dfn" href="#webauthn-relying-party" id="ref-for-webauthn-relying-party④③">WebAuthn Relying Party</a> may evaluate to offer certain workflows and experiences to users.</p> - <p><a data-link-type="dfn" href="#relying-party" id="ref-for-relying-party①⑧⑤">Relying Parties</a> may use the <code class="idl"><a data-link-type="idl" href="#dom-publickeycredential-getclientcapabilities" id="ref-for-dom-publickeycredential-getclientcapabilities③">getClientCapabilities()</a></code> method of <code class="idl"><a data-link-type="idl" href="#publickeycredential" id="ref-for-publickeycredential②⑦">PublicKeyCredential</a></code> to obtain a description of available capabilities.</p> + <p><a data-link-type="dfn" href="#relying-party" id="ref-for-relying-party①⑧⑥">Relying Parties</a> may use the <code class="idl"><a data-link-type="idl" href="#dom-publickeycredential-getclientcapabilities" id="ref-for-dom-publickeycredential-getclientcapabilities③">getClientCapabilities()</a></code> method of <code class="idl"><a data-link-type="idl" href="#publickeycredential" id="ref-for-publickeycredential②⑦">PublicKeyCredential</a></code> to obtain a description of available capabilities.</p> <p class="note" role="note"><span class="marker">Note:</span> The <code class="idl"><a data-link-type="idl" href="#enumdef-clientcapability" id="ref-for-enumdef-clientcapability②">ClientCapability</a></code> enumeration is deliberately not referenced, see <a href="#sct-domstring-backwards-compatibility">§ 2.1.1 Enumerations as DOMString types</a>.</p> <div> <dl> @@ -5009,21 +5012,21 @@ <h4 class="heading settled" data-level="5.8.8" id="enum-hints"><span class="secn </pre> <p class="note" role="note"><span class="marker">Note:</span> The <code class="idl"><a data-link-type="idl" href="#enumdef-publickeycredentialhint" id="ref-for-enumdef-publickeycredentialhint③">PublicKeyCredentialHint</a></code> enumeration is deliberately not referenced, see <a href="#sct-domstring-backwards-compatibility">§ 2.1.1 Enumerations as DOMString types</a>.</p> <div> - <a data-link-type="dfn" href="#webauthn-relying-party" id="ref-for-webauthn-relying-party④④">WebAuthn Relying Parties</a> may use this enumeration to communicate hints to the user-agent about how a request may be best completed. These hints are not requirements, and do not bind the user-agent, but may guide it in providing the best experience by using contextual information that the <a data-link-type="dfn" href="#relying-party" id="ref-for-relying-party①⑧⑥">Relying Party</a> has about the request. Hints are provided in order of decreasing preference so, if two hints are contradictory, the first one controls. Hints may also overlap: if a more-specific hint is defined a <a data-link-type="dfn" href="#relying-party" id="ref-for-relying-party①⑧⑦">Relying Party</a> may still wish to send less specific ones for user-agents that may not recognise the more specific one. In this case the most specific hint should be sent before the less-specific ones. + <a data-link-type="dfn" href="#webauthn-relying-party" id="ref-for-webauthn-relying-party④④">WebAuthn Relying Parties</a> may use this enumeration to communicate hints to the user-agent about how a request may be best completed. These hints are not requirements, and do not bind the user-agent, but may guide it in providing the best experience by using contextual information that the <a data-link-type="dfn" href="#relying-party" id="ref-for-relying-party①⑧⑦">Relying Party</a> has about the request. Hints are provided in order of decreasing preference so, if two hints are contradictory, the first one controls. Hints may also overlap: if a more-specific hint is defined a <a data-link-type="dfn" href="#relying-party" id="ref-for-relying-party①⑧⑧">Relying Party</a> may still wish to send less specific ones for user-agents that may not recognise the more specific one. In this case the most specific hint should be sent before the less-specific ones. If the same hint appears more than once, its second and later appearences are ignored. <p>Hints MAY contradict information contained in credential <code class="idl"><a data-link-type="idl" href="#dom-publickeycredentialdescriptor-transports" id="ref-for-dom-publickeycredentialdescriptor-transports①①">transports</a></code> and <code class="idl"><a data-link-type="idl" href="#dom-authenticatorselectioncriteria-authenticatorattachment" id="ref-for-dom-authenticatorselectioncriteria-authenticatorattachment②">authenticatorAttachment</a></code>. When this occurs, the hints take precedence. (Note that <code class="idl"><a data-link-type="idl" href="#dom-publickeycredentialdescriptor-transports" id="ref-for-dom-publickeycredentialdescriptor-transports①②">transports</a></code> values are not provided when using <a data-link-type="dfn" href="#discoverable-credential" id="ref-for-discoverable-credential①③">discoverable credentials</a>, leaving hints as the only avenue for expressing some aspects of such a request.)</p> <dl> <dt data-md><dfn class="dfn-paneled idl-code" data-dfn-for="PublicKeyCredentialHint" data-dfn-type="enum-value" data-export data-lt=""security-key"|security-key" id="dom-publickeycredentialhint-security-key"><code>security-key</code></dfn> <dd data-md> - <p>Indicates that the <a data-link-type="dfn" href="#relying-party" id="ref-for-relying-party①⑧⑧">Relying Party</a> believes that users will satisfy this request with a physical security key. For example, an enterprise <a data-link-type="dfn" href="#relying-party" id="ref-for-relying-party①⑧⑨">Relying Party</a> may set this hint if they have issued security keys to their employees and will only accept those <a data-link-type="dfn" href="#authenticator" id="ref-for-authenticator①⑤①">authenticators</a> for <a data-link-type="dfn" href="#registration-ceremony" id="ref-for-registration-ceremony⑧">registration</a> and <a data-link-type="dfn" href="#authentication-ceremony" id="ref-for-authentication-ceremony②⑥">authentication</a>.</p> + <p>Indicates that the <a data-link-type="dfn" href="#relying-party" id="ref-for-relying-party①⑧⑨">Relying Party</a> believes that users will satisfy this request with a physical security key. For example, an enterprise <a data-link-type="dfn" href="#relying-party" id="ref-for-relying-party①⑨⓪">Relying Party</a> may set this hint if they have issued security keys to their employees and will only accept those <a data-link-type="dfn" href="#authenticator" id="ref-for-authenticator①⑤①">authenticators</a> for <a data-link-type="dfn" href="#registration-ceremony" id="ref-for-registration-ceremony⑧">registration</a> and <a data-link-type="dfn" href="#authentication-ceremony" id="ref-for-authentication-ceremony②⑥">authentication</a>.</p> <p>For compatibility with older user agents, when this hint is used in <code class="idl"><a data-link-type="idl" href="#dictdef-publickeycredentialcreationoptions" id="ref-for-dictdef-publickeycredentialcreationoptions⑧">PublicKeyCredentialCreationOptions</a></code>, the <code class="idl"><a data-link-type="idl" href="#dom-authenticatorselectioncriteria-authenticatorattachment" id="ref-for-dom-authenticatorselectioncriteria-authenticatorattachment③">authenticatorAttachment</a></code> SHOULD be set to <code class="idl"><a data-link-type="idl" href="#dom-authenticatorattachment-cross-platform" id="ref-for-dom-authenticatorattachment-cross-platform①">cross-platform</a></code>.</p> <dt data-md><dfn class="dfn-paneled idl-code" data-dfn-for="PublicKeyCredentialHint" data-dfn-type="enum-value" data-export data-lt=""client-device"|client-device" id="dom-publickeycredentialhint-client-device"><code>client-device</code></dfn> <dd data-md> - <p>Indicates that the <a data-link-type="dfn" href="#relying-party" id="ref-for-relying-party①⑨⓪">Relying Party</a> believes that users will satisfy this request with a <a data-link-type="dfn" href="#platform-authenticators" id="ref-for-platform-authenticators①⑤">platform authenticator</a> attached to the <a data-link-type="dfn" href="#client-device" id="ref-for-client-device②⓪">client device</a>.</p> + <p>Indicates that the <a data-link-type="dfn" href="#relying-party" id="ref-for-relying-party①⑨①">Relying Party</a> believes that users will satisfy this request with a <a data-link-type="dfn" href="#platform-authenticators" id="ref-for-platform-authenticators①⑤">platform authenticator</a> attached to the <a data-link-type="dfn" href="#client-device" id="ref-for-client-device②⓪">client device</a>.</p> <p>For compatibility with older user agents, when this hint is used in <code class="idl"><a data-link-type="idl" href="#dictdef-publickeycredentialcreationoptions" id="ref-for-dictdef-publickeycredentialcreationoptions⑨">PublicKeyCredentialCreationOptions</a></code>, the <code class="idl"><a data-link-type="idl" href="#dom-authenticatorselectioncriteria-authenticatorattachment" id="ref-for-dom-authenticatorselectioncriteria-authenticatorattachment④">authenticatorAttachment</a></code> SHOULD be set to <code class="idl"><a data-link-type="idl" href="#dom-authenticatorattachment-platform" id="ref-for-dom-authenticatorattachment-platform①">platform</a></code>.</p> <dt data-md><dfn class="dfn-paneled idl-code" data-dfn-for="PublicKeyCredentialHint" data-dfn-type="enum-value" data-export data-lt=""hybrid"|hybrid" id="dom-publickeycredentialhint-hybrid"><code>hybrid</code></dfn> <dd data-md> - <p>Indicates that the <a data-link-type="dfn" href="#relying-party" id="ref-for-relying-party①⑨①">Relying Party</a> believes that users will satisfy this request with general-purpose <a data-link-type="dfn" href="#authenticator" id="ref-for-authenticator①⑤②">authenticators</a> such as smartphones. For example, a consumer <a data-link-type="dfn" href="#relying-party" id="ref-for-relying-party①⑨②">Relying Party</a> may believe that only a small fraction of their customers possesses dedicated security keys. This option also implies that the local <a data-link-type="dfn" href="#platform-authenticators" id="ref-for-platform-authenticators①⑥">platform authenticator</a> should not be promoted in the UI.</p> + <p>Indicates that the <a data-link-type="dfn" href="#relying-party" id="ref-for-relying-party①⑨②">Relying Party</a> believes that users will satisfy this request with general-purpose <a data-link-type="dfn" href="#authenticator" id="ref-for-authenticator①⑤②">authenticators</a> such as smartphones. For example, a consumer <a data-link-type="dfn" href="#relying-party" id="ref-for-relying-party①⑨③">Relying Party</a> may believe that only a small fraction of their customers possesses dedicated security keys. This option also implies that the local <a data-link-type="dfn" href="#platform-authenticators" id="ref-for-platform-authenticators①⑥">platform authenticator</a> should not be promoted in the UI.</p> <p>For compatibility with older user agents, when this hint is used in <code class="idl"><a data-link-type="idl" href="#dictdef-publickeycredentialcreationoptions" id="ref-for-dictdef-publickeycredentialcreationoptions①⓪">PublicKeyCredentialCreationOptions</a></code>, the <code class="idl"><a data-link-type="idl" href="#dom-authenticatorselectioncriteria-authenticatorattachment" id="ref-for-dom-authenticatorselectioncriteria-authenticatorattachment⑤">authenticatorAttachment</a></code> SHOULD be set to <code class="idl"><a data-link-type="idl" href="#dom-authenticatorattachment-cross-platform" id="ref-for-dom-authenticatorattachment-cross-platform②">cross-platform</a></code>.</p> </dl> </div> @@ -5037,13 +5040,13 @@ <h3 class="heading settled" data-level="5.9" id="sctn-permissions-policy"><span <h3 class="heading settled" data-level="5.10" id="sctn-iframe-guidance"><span class="secno">5.10. </span><span class="content">Using Web Authentication within <code>iframe</code> elements</span><a class="self-link" href="#sctn-iframe-guidance"></a></h3> <p>The <a data-link-type="dfn" href="#web-authentication-api" id="ref-for-web-authentication-api①⑤">Web Authentication API</a> is disabled by default in cross-origin <code><a data-link-type="element" href="https://html.spec.whatwg.org/multipage/iframe-embed-object.html#the-iframe-element" id="ref-for-the-iframe-element">iframe</a></code>s. To override this default policy and indicate that a cross-origin <code><a data-link-type="element" href="https://html.spec.whatwg.org/multipage/iframe-embed-object.html#the-iframe-element" id="ref-for-the-iframe-element①">iframe</a></code> is allowed to invoke the <a data-link-type="dfn" href="#web-authentication-api" id="ref-for-web-authentication-api①⑥">Web Authentication API</a>'s <code class="idl"><a data-link-type="idl" href="#dom-publickeycredential-discoverfromexternalsource-slot" id="ref-for-dom-publickeycredential-discoverfromexternalsource-slot①②">[[DiscoverFromExternalSource]](origin, options, sameOriginWithAncestors)</a></code> method, specify the <code><a data-link-type="element-sub" href="https://html.spec.whatwg.org/multipage/iframe-embed-object.html#attr-iframe-allow" id="ref-for-attr-iframe-allow">allow</a></code> attribute on the <code><a data-link-type="element" href="https://html.spec.whatwg.org/multipage/iframe-embed-object.html#the-iframe-element" id="ref-for-the-iframe-element②">iframe</a></code> element and include the <code><a data-link-type="dfn" href="#publickey-credentials-get-feature" id="ref-for-publickey-credentials-get-feature">publickey-credentials-get</a></code> feature-identifier token in the <code><a data-link-type="element-sub" href="https://html.spec.whatwg.org/multipage/iframe-embed-object.html#attr-iframe-allow" id="ref-for-attr-iframe-allow①">allow</a></code> attribute’s value.</p> - <p><a data-link-type="dfn" href="#relying-party" id="ref-for-relying-party①⑨③">Relying Parties</a> utilizing the WebAuthn API in an embedded context should review <a href="#sctn-seccons-visibility">§ 13.4.2 Visibility Considerations for Embedded Usage</a> regarding <a data-link-type="dfn" href="#ui-redressing" id="ref-for-ui-redressing">UI redressing</a> and its possible mitigations.</p> + <p><a data-link-type="dfn" href="#relying-party" id="ref-for-relying-party①⑨④">Relying Parties</a> utilizing the WebAuthn API in an embedded context should review <a href="#sctn-seccons-visibility">§ 13.4.2 Visibility Considerations for Embedded Usage</a> regarding <a data-link-type="dfn" href="#ui-redressing" id="ref-for-ui-redressing">UI redressing</a> and its possible mitigations.</p> <h3 class="heading settled" data-level="5.11" id="sctn-related-origins"><span class="secno">5.11. </span><span class="content">Using Web Authentication across related origins</span><a class="self-link" href="#sctn-related-origins"></a></h3> - <p>By default, Web Authentication requires that the <a data-link-type="dfn" href="#rp-id" id="ref-for-rp-id②⑨">RP ID</a> be equal to the <a data-link-type="dfn" href="#determines-the-set-of-origins-on-which-the-public-key-credential-may-be-exercised" id="ref-for-determines-the-set-of-origins-on-which-the-public-key-credential-may-be-exercised⑤">origin</a>'s <a data-link-type="dfn" href="https://html.spec.whatwg.org/multipage/browsers.html#concept-origin-effective-domain" id="ref-for-concept-origin-effective-domain①⑨">effective domain</a>, or a <a data-link-type="dfn" href="https://html.spec.whatwg.org/multipage/browsers.html#is-a-registrable-domain-suffix-of-or-is-equal-to" id="ref-for-is-a-registrable-domain-suffix-of-or-is-equal-to⑤">registrable domain suffix</a> of the <a data-link-type="dfn" href="#determines-the-set-of-origins-on-which-the-public-key-credential-may-be-exercised" id="ref-for-determines-the-set-of-origins-on-which-the-public-key-credential-may-be-exercised⑥">origin</a>'s <a data-link-type="dfn" href="https://html.spec.whatwg.org/multipage/browsers.html#concept-origin-effective-domain" id="ref-for-concept-origin-effective-domain②⓪">effective domain</a>.</p> + <p>By default, Web Authentication requires that the <a data-link-type="dfn" href="#rp-id" id="ref-for-rp-id③①">RP ID</a> be equal to the <a data-link-type="dfn" href="#determines-the-set-of-origins-on-which-the-public-key-credential-may-be-exercised" id="ref-for-determines-the-set-of-origins-on-which-the-public-key-credential-may-be-exercised⑤">origin</a>'s <a data-link-type="dfn" href="https://html.spec.whatwg.org/multipage/browsers.html#concept-origin-effective-domain" id="ref-for-concept-origin-effective-domain①⑨">effective domain</a>, or a <a data-link-type="dfn" href="https://html.spec.whatwg.org/multipage/browsers.html#is-a-registrable-domain-suffix-of-or-is-equal-to" id="ref-for-is-a-registrable-domain-suffix-of-or-is-equal-to⑤">registrable domain suffix</a> of the <a data-link-type="dfn" href="#determines-the-set-of-origins-on-which-the-public-key-credential-may-be-exercised" id="ref-for-determines-the-set-of-origins-on-which-the-public-key-credential-may-be-exercised⑥">origin</a>'s <a data-link-type="dfn" href="https://html.spec.whatwg.org/multipage/browsers.html#concept-origin-effective-domain" id="ref-for-concept-origin-effective-domain②⓪">effective domain</a>.</p> <p>This can make deployment challenging for large environments where multiple country-specific domains are in use (e.g. example.com vs example.co.uk vs example.sg), where alternative or brand domains are required (e.g. myexampletravel.com vs examplecruises.com), and/or where platform as a service providers are used to support mobile apps.</p> <p><a data-link-type="dfn" href="#webauthn-relying-party" id="ref-for-webauthn-relying-party④⑤">WebAuthn Relying Parties</a> can opt in to allowing <a data-link-type="dfn" href="#webauthn-client" id="ref-for-webauthn-client①⑥">WebAuthn Clients</a> to enable a credential to be created and used across a limited set of related <a data-link-type="dfn" href="https://html.spec.whatwg.org/multipage/origin.html#concept-origin" id="ref-for-concept-origin①③">origins</a>. -Such <a data-link-type="dfn" href="#relying-party" id="ref-for-relying-party①⑨④">Relying Parties</a> MUST choose a common <a data-link-type="dfn" href="#rp-id" id="ref-for-rp-id③⓪">RP ID</a> to use across all ceremonies from related origins.</p> - <p>A JSON document MUST be hosted at the <code>webauthn</code> well-known URL <a data-link-type="biblio" href="#biblio-rfc8615" title="Well-Known Uniform Resource Identifiers (URIs)">[RFC8615]</a> for the <a data-link-type="dfn" href="#rp-id" id="ref-for-rp-id③①">RP ID</a>. The JSON document MUST be returned as follows:</p> +Such <a data-link-type="dfn" href="#relying-party" id="ref-for-relying-party①⑨⑤">Relying Parties</a> MUST choose a common <a data-link-type="dfn" href="#rp-id" id="ref-for-rp-id③②">RP ID</a> to use across all ceremonies from related origins.</p> + <p>A JSON document MUST be hosted at the <code>webauthn</code> well-known URL <a data-link-type="biblio" href="#biblio-rfc8615" title="Well-Known Uniform Resource Identifiers (URIs)">[RFC8615]</a> for the <a data-link-type="dfn" href="#rp-id" id="ref-for-rp-id③③">RP ID</a>. The JSON document MUST be returned as follows:</p> <ul> <li data-md> <p>The content type MUST be <code>application/json</code>.</p> @@ -5112,15 +5115,15 @@ <h2 class="heading settled" data-level="6" id="sctn-authenticator-model"><span c <p><a data-link-type="dfn" href="#client-platform" id="ref-for-client-platform④⑦">Client platforms</a> MAY implement and expose this abstract model in any way desired. However, the behavior of the client’s Web Authentication API implementation, when operating on the authenticators supported by that <a data-link-type="dfn" href="#client-platform" id="ref-for-client-platform④⑧">client platform</a>, MUST be indistinguishable from the behavior specified in <a href="#sctn-api">§ 5 Web Authentication API</a>.</p> - <p class="note" role="note"><span class="marker">Note:</span> <a data-link-type="biblio" href="#biblio-fido-ctap" title="Client to Authenticator Protocol (CTAP)">[FIDO-CTAP]</a> is an example of a concrete instantiation of this model, but it is one in which there are differences in the data it returns and those expected by the <a href="#sctn-api">WebAuthn API</a>'s algorithms. The CTAP2 response messages are CBOR maps constructed using integer keys rather than the string keys defined in this specification for the same objects. The <a data-link-type="dfn" href="#client" id="ref-for-client⑦⑦">client</a> is expected to perform any needed transformations on such data. The <a data-link-type="biblio" href="#biblio-fido-ctap" title="Client to Authenticator Protocol (CTAP)">[FIDO-CTAP]</a> specification details the mapping between CTAP2 integer keys and WebAuthn string keys in Section <a data-link-type="dfn" href="https://fidoalliance.org/specs/fido-v2.1-ps-20210615/fido-client-to-authenticator-protocol-v2.1-ps-errata-20220621.html#authenticator-api" id="ref-for-authenticator-api">§6. Authenticator API</a>.</p> + <p class="note" role="note"><span class="marker">Note:</span> <a data-link-type="biblio" href="#biblio-fido-ctap" title="Client to Authenticator Protocol (CTAP)">[FIDO-CTAP]</a> is an example of a concrete instantiation of this model, but it is one in which there are differences in the data it returns and those expected by the <a href="#sctn-api">WebAuthn API</a>'s algorithms. The CTAP2 response messages are CBOR maps constructed using integer keys rather than the string keys defined in this specification for the same objects. The <a data-link-type="dfn" href="#client" id="ref-for-client⑦⑧">client</a> is expected to perform any needed transformations on such data. The <a data-link-type="biblio" href="#biblio-fido-ctap" title="Client to Authenticator Protocol (CTAP)">[FIDO-CTAP]</a> specification details the mapping between CTAP2 integer keys and WebAuthn string keys in Section <a data-link-type="dfn" href="https://fidoalliance.org/specs/fido-v2.1-ps-20210615/fido-client-to-authenticator-protocol-v2.1-ps-errata-20220621.html#authenticator-api" id="ref-for-authenticator-api">§6. Authenticator API</a>.</p> <p>For authenticators, this model defines the logical operations that they MUST support, and the data formats that they expose to the client and the <a data-link-type="dfn" href="#webauthn-relying-party" id="ref-for-webauthn-relying-party④⑥">WebAuthn Relying Party</a>. However, it does not define the details of how authenticators communicate with the <a data-link-type="dfn" href="#client-device" id="ref-for-client-device②①">client device</a>, -unless they are necessary for interoperability with <a data-link-type="dfn" href="#relying-party" id="ref-for-relying-party①⑨⑤">Relying Parties</a>. For instance, this abstract model does not define protocols for +unless they are necessary for interoperability with <a data-link-type="dfn" href="#relying-party" id="ref-for-relying-party①⑨⑥">Relying Parties</a>. For instance, this abstract model does not define protocols for connecting authenticators to clients over transports such as USB or NFC. Similarly, this abstract model does not define specific error codes or methods of returning them; however, it does define error behavior in terms of the needs of the client. Therefore, specific error codes are mentioned as a means of showing which error conditions MUST be distinguishable (or not) from each other in order to enable a compliant and secure client implementation.</p> - <p><a data-link-type="dfn" href="#relying-party" id="ref-for-relying-party①⑨⑥">Relying Parties</a> may influence authenticator selection, if they deem necessary, by stipulating various authenticator characteristics + <p><a data-link-type="dfn" href="#relying-party" id="ref-for-relying-party①⑨⑦">Relying Parties</a> may influence authenticator selection, if they deem necessary, by stipulating various authenticator characteristics when <a href="#sctn-createCredential">creating credentials</a> and/or when <a href="#sctn-getAssertion">generating assertions</a>, through use of <a href="#dictionary-makecredentialoptions">credential creation options</a> or <a href="#dictionary-assertion-options">assertion generation options</a>, respectively. The algorithms underlying the <a href="#sctn-api">WebAuthn API</a> marshal these options and pass them to the applicable <a href="#sctn-authenticator-ops">authenticator operations</a> defined below.</p> <p>In this abstract model, the authenticator provides key management and cryptographic signatures. It can be embedded in the @@ -5132,13 +5135,13 @@ <h2 class="heading settled" data-level="6" id="sctn-authenticator-model"><span c <p>Additionally, each authenticator has an Authenticator Attestation Globally Unique Identifier or <dfn class="dfn-paneled" data-dfn-type="dfn" data-noexport id="aaguid">AAGUID</dfn>, which is a 128-bit identifier indicating the type (e.g. make and model) of the authenticator. The AAGUID MUST be chosen by its maker to be identical across all substantially identical authenticators made by that maker, and different (with high probability) from the AAGUIDs of all other types of authenticators. The AAGUID for a given type -of authenticator SHOULD be randomly generated to ensure this. The <a data-link-type="dfn" href="#relying-party" id="ref-for-relying-party①⑨⑦">Relying Party</a> MAY use the AAGUID to infer certain properties of the authenticator, such as -certification level and strength of key protection, using information from other sources. The <a data-link-type="dfn" href="#relying-party" id="ref-for-relying-party①⑨⑧">Relying Party</a> MAY use the AAGUID to attempt to identify the maker of +of authenticator SHOULD be randomly generated to ensure this. The <a data-link-type="dfn" href="#relying-party" id="ref-for-relying-party①⑨⑧">Relying Party</a> MAY use the AAGUID to infer certain properties of the authenticator, such as +certification level and strength of key protection, using information from other sources. The <a data-link-type="dfn" href="#relying-party" id="ref-for-relying-party①⑨⑨">Relying Party</a> MAY use the AAGUID to attempt to identify the maker of the authenticator without requesting and verifying <a data-link-type="dfn" href="#attestation" id="ref-for-attestation①⓪">attestation</a>, but the AAGUID is not provably authentic without <a data-link-type="dfn" href="#attestation" id="ref-for-attestation①①">attestation</a>.</p> <p>The primary function of the authenticator is to provide <a data-link-type="dfn" href="#webauthn-signature" id="ref-for-webauthn-signature①">WebAuthn signatures</a>, which are bound to various contextual data. These data are observed and added at different levels of the stack as a signature request passes from the server to the authenticator. In verifying a signature, the server checks these bindings against expected values. These contextual bindings -are divided in two: Those added by the <a data-link-type="dfn" href="#relying-party" id="ref-for-relying-party①⑨⑨">Relying Party</a> or the client, referred to as <a data-link-type="dfn" href="#client-data" id="ref-for-client-data②">client data</a>; and those added by the authenticator, +are divided in two: Those added by the <a data-link-type="dfn" href="#relying-party" id="ref-for-relying-party②⓪⓪">Relying Party</a> or the client, referred to as <a data-link-type="dfn" href="#client-data" id="ref-for-client-data②">client data</a>; and those added by the authenticator, referred to as the <a data-link-type="dfn" href="#authenticator-data" id="ref-for-authenticator-data①⑥">authenticator data</a>. The authenticator signs over the <a data-link-type="dfn" href="#client-data" id="ref-for-client-data③">client data</a>, but is otherwise not interested in its contents. To save bandwidth and processing requirements on the authenticator, the client hashes the <a data-link-type="dfn" href="#client-data" id="ref-for-client-data④">client data</a> and sends only the result to the authenticator. The authenticator signs over the combination of the <a data-link-type="dfn" href="#collectedclientdata-hash-of-the-serialized-client-data" id="ref-for-collectedclientdata-hash-of-the-serialized-client-data⑥">hash of the serialized client data</a>, and its own <a data-link-type="dfn" href="#authenticator-data" id="ref-for-authenticator-data①⑦">authenticator data</a>.</p> @@ -5151,7 +5154,7 @@ <h2 class="heading settled" data-level="6" id="sctn-authenticator-model"><span c <p>The data processed by the authenticator should be small and easy to interpret in low-level code. In particular, authenticators should not have to parse high-level encodings such as JSON.</p> <li data-md> - <p>Both the <a data-link-type="dfn" href="#client" id="ref-for-client⑦⑧">client</a> and the authenticator should have the flexibility to add contextual bindings as needed.</p> + <p>Both the <a data-link-type="dfn" href="#client" id="ref-for-client⑦⑨">client</a> and the authenticator should have the flexibility to add contextual bindings as needed.</p> <li data-md> <p>The design aims to reuse as much as possible of existing encoding formats in order to aid adoption and implementation.</p> </ul> @@ -5177,7 +5180,7 @@ <h3 class="heading settled" data-level="6.1" id="sctn-authenticator-data"><span controlled by the authenticator itself, and derive their trust from the <a data-link-type="dfn" href="#webauthn-relying-party" id="ref-for-webauthn-relying-party④⑦">WebAuthn Relying Party</a>'s assessment of the security properties of the authenticator. In one extreme case, the authenticator may be embedded in the client, and its bindings may be no more trustworthy than the <a data-link-type="dfn" href="#client-data" id="ref-for-client-data⑥">client data</a>. At the other extreme, the authenticator may be a discrete entity with high-security hardware and -software, connected to the client over a secure channel. In both cases, the <a data-link-type="dfn" href="#relying-party" id="ref-for-relying-party②⓪⓪">Relying Party</a> receives the <a data-link-type="dfn" href="#authenticator-data" id="ref-for-authenticator-data①⑧">authenticator data</a> in the same +software, connected to the client over a secure channel. In both cases, the <a data-link-type="dfn" href="#relying-party" id="ref-for-relying-party②⓪①">Relying Party</a> receives the <a data-link-type="dfn" href="#authenticator-data" id="ref-for-authenticator-data①⑧">authenticator data</a> in the same format, and uses its knowledge of the authenticator to make trust decisions.</p> <p>The <a data-link-type="dfn" href="#authenticator-data" id="ref-for-authenticator-data①⑨">authenticator data</a> has a compact but extensible encoding. This is desired since authenticators can be devices with limited capabilities and low power requirements, with much simpler software stacks than the <a data-link-type="dfn" href="#client-platform" id="ref-for-client-platform④⑨">client platform</a>.</p> @@ -5193,7 +5196,7 @@ <h3 class="heading settled" data-level="6.1" id="sctn-authenticator-data"><span <tr> <td><dfn class="dfn-paneled" data-dfn-for="authData" data-dfn-type="dfn" data-noexport id="authdata-rpidhash">rpIdHash</dfn> <td>32 - <td> SHA-256 hash of the <a data-link-type="dfn" href="#rp-id" id="ref-for-rp-id③②">RP ID</a> the <a data-link-type="dfn" href="#public-key-credential" id="ref-for-public-key-credential④⑤">credential</a> is <a data-link-type="dfn" href="#scope" id="ref-for-scope①④">scoped</a> to. + <td> SHA-256 hash of the <a data-link-type="dfn" href="#rp-id" id="ref-for-rp-id③④">RP ID</a> the <a data-link-type="dfn" href="#public-key-credential" id="ref-for-public-key-credential④⑤">credential</a> is <a data-link-type="dfn" href="#scope" id="ref-for-scope①④">scoped</a> to. <tr> <td><dfn class="dfn-paneled" data-dfn-for="authData" data-dfn-type="dfn" data-noexport id="authdata-flags">flags</dfn> <td>1 @@ -5268,15 +5271,15 @@ <h3 class="heading settled" data-level="6.1" id="sctn-authenticator-data"><span <figcaption> <a data-link-type="dfn" href="#authenticator-data" id="ref-for-authenticator-data②③">Authenticator data</a> layout. The names in the Name column are only for reference within this document, and are not present in the actual representation of the <a data-link-type="dfn" href="#authenticator-data" id="ref-for-authenticator-data②④">authenticator data</a>. </figcaption> </figure> - <p>The <a data-link-type="dfn" href="#rp-id" id="ref-for-rp-id③③">RP ID</a> is originally received from the <a data-link-type="dfn" href="#client" id="ref-for-client⑦⑨">client</a> when the credential is created, and again when an <a data-link-type="dfn" href="#assertion" id="ref-for-assertion③">assertion</a> is generated. -However, it differs from other <a data-link-type="dfn" href="#client-data" id="ref-for-client-data⑦">client data</a> in some important ways. First, unlike the <a data-link-type="dfn" href="#client-data" id="ref-for-client-data⑧">client data</a>, the <a data-link-type="dfn" href="#rp-id" id="ref-for-rp-id③④">RP ID</a> of a + <p>The <a data-link-type="dfn" href="#rp-id" id="ref-for-rp-id③⑤">RP ID</a> is originally received from the <a data-link-type="dfn" href="#client" id="ref-for-client⑧⓪">client</a> when the credential is created, and again when an <a data-link-type="dfn" href="#assertion" id="ref-for-assertion③">assertion</a> is generated. +However, it differs from other <a data-link-type="dfn" href="#client-data" id="ref-for-client-data⑦">client data</a> in some important ways. First, unlike the <a data-link-type="dfn" href="#client-data" id="ref-for-client-data⑧">client data</a>, the <a data-link-type="dfn" href="#rp-id" id="ref-for-rp-id③⑥">RP ID</a> of a credential does not change between operations but instead remains the same for the lifetime of that credential. Secondly, it is -validated by the authenticator during the <a data-link-type="dfn" href="#authenticatorgetassertion" id="ref-for-authenticatorgetassertion⑧">authenticatorGetAssertion</a> operation, by verifying that the <a data-link-type="dfn" href="#rp-id" id="ref-for-rp-id③⑤">RP ID</a> that -the requested <a data-link-type="dfn" href="#public-key-credential" id="ref-for-public-key-credential④⑥">credential</a> is <a data-link-type="dfn" href="#scope" id="ref-for-scope①⑤">scoped</a> to exactly matches the <a data-link-type="dfn" href="#rp-id" id="ref-for-rp-id③⑥">RP ID</a> supplied by the <a data-link-type="dfn" href="#client" id="ref-for-client⑧⓪">client</a>.</p> +validated by the authenticator during the <a data-link-type="dfn" href="#authenticatorgetassertion" id="ref-for-authenticatorgetassertion⑧">authenticatorGetAssertion</a> operation, by verifying that the <a data-link-type="dfn" href="#rp-id" id="ref-for-rp-id③⑦">RP ID</a> that +the requested <a data-link-type="dfn" href="#public-key-credential" id="ref-for-public-key-credential④⑥">credential</a> is <a data-link-type="dfn" href="#scope" id="ref-for-scope①⑤">scoped</a> to exactly matches the <a data-link-type="dfn" href="#rp-id" id="ref-for-rp-id③⑧">RP ID</a> supplied by the <a data-link-type="dfn" href="#client" id="ref-for-client⑧①">client</a>.</p> <p><a data-link-type="dfn" href="#authenticator" id="ref-for-authenticator①⑤⑨">Authenticators</a> <dfn class="dfn-paneled" data-dfn-for="authenticator data" data-dfn-type="dfn" data-noexport id="authenticator-data-perform-the-following-steps-to-generate-an-authenticator-data-structure">perform the following steps to generate an <a data-link-type="dfn" href="#authenticator-data" id="ref-for-authenticator-data②⑤">authenticator data</a> structure</dfn>:</p> <ul> <li data-md> - <p>Hash <a data-link-type="dfn" href="#rp-id" id="ref-for-rp-id③⑦">RP ID</a> using SHA-256 to generate the <a data-link-type="dfn" href="#authdata-rpidhash" id="ref-for-authdata-rpidhash">rpIdHash</a>.</p> + <p>Hash <a data-link-type="dfn" href="#rp-id" id="ref-for-rp-id③⑨">RP ID</a> using SHA-256 to generate the <a data-link-type="dfn" href="#authdata-rpidhash" id="ref-for-authdata-rpidhash">rpIdHash</a>.</p> <li data-md> <p>The <a data-link-type="dfn" href="#authdata-flags-up" id="ref-for-authdata-flags-up">UP</a> <a data-link-type="dfn" href="#authdata-flags" id="ref-for-authdata-flags①①">flag</a> SHALL be set if and only if the authenticator performed a <a data-link-type="dfn" href="#test-of-user-presence" id="ref-for-test-of-user-presence⑥">test of user presence</a>. The <a data-link-type="dfn" href="#authdata-flags-uv" id="ref-for-authdata-flags-uv⑦">UV</a> <a data-link-type="dfn" href="#authdata-flags" id="ref-for-authdata-flags①②">flag</a> SHALL be set if and only if the authenticator performed <a data-link-type="dfn" href="#user-verification" id="ref-for-user-verification③②">user verification</a>. @@ -5310,15 +5313,15 @@ <h3 class="heading settled" data-level="6.1" id="sctn-authenticator-data"><span </div> <h4 class="heading settled" data-level="6.1.1" id="sctn-sign-counter"><span class="secno">6.1.1. </span><span class="content"><dfn class="dfn-paneled" data-dfn-type="dfn" data-noexport id="signature-counter">Signature Counter</dfn> Considerations</span><a class="self-link" href="#sctn-sign-counter"></a></h4> <p>Authenticators SHOULD implement a <a data-link-type="dfn" href="#signature-counter" id="ref-for-signature-counter②">signature counter</a> feature. These counters are conceptually stored for each credential -by the authenticator, or globally for the authenticator as a whole. The initial value of a credential’s <a data-link-type="dfn" href="#signature-counter" id="ref-for-signature-counter③">signature counter</a> is specified in the <code><a data-link-type="dfn" href="#authdata-signcount" id="ref-for-authdata-signcount①">signCount</a></code> value of the <a data-link-type="dfn" href="#authenticator-data" id="ref-for-authenticator-data②⑨">authenticator data</a> returned by <a data-link-type="dfn" href="#authenticatormakecredential" id="ref-for-authenticatormakecredential①①">authenticatorMakeCredential</a>. The <a data-link-type="dfn" href="#signature-counter" id="ref-for-signature-counter④">signature counter</a> is incremented for each successful <a data-link-type="dfn" href="#authenticatorgetassertion" id="ref-for-authenticatorgetassertion⑨">authenticatorGetAssertion</a> operation by some positive value, and subsequent values are returned to the <a data-link-type="dfn" href="#webauthn-relying-party" id="ref-for-webauthn-relying-party④⑧">WebAuthn Relying Party</a> within the <a data-link-type="dfn" href="#authenticator-data" id="ref-for-authenticator-data③⓪">authenticator data</a> again. The <a data-link-type="dfn" href="#signature-counter" id="ref-for-signature-counter⑤">signature counter</a>'s purpose is to aid <a data-link-type="dfn" href="#relying-party" id="ref-for-relying-party②⓪①">Relying Parties</a> in detecting cloned authenticators. Clone +by the authenticator, or globally for the authenticator as a whole. The initial value of a credential’s <a data-link-type="dfn" href="#signature-counter" id="ref-for-signature-counter③">signature counter</a> is specified in the <code><a data-link-type="dfn" href="#authdata-signcount" id="ref-for-authdata-signcount①">signCount</a></code> value of the <a data-link-type="dfn" href="#authenticator-data" id="ref-for-authenticator-data②⑨">authenticator data</a> returned by <a data-link-type="dfn" href="#authenticatormakecredential" id="ref-for-authenticatormakecredential①①">authenticatorMakeCredential</a>. The <a data-link-type="dfn" href="#signature-counter" id="ref-for-signature-counter④">signature counter</a> is incremented for each successful <a data-link-type="dfn" href="#authenticatorgetassertion" id="ref-for-authenticatorgetassertion⑨">authenticatorGetAssertion</a> operation by some positive value, and subsequent values are returned to the <a data-link-type="dfn" href="#webauthn-relying-party" id="ref-for-webauthn-relying-party④⑧">WebAuthn Relying Party</a> within the <a data-link-type="dfn" href="#authenticator-data" id="ref-for-authenticator-data③⓪">authenticator data</a> again. The <a data-link-type="dfn" href="#signature-counter" id="ref-for-signature-counter⑤">signature counter</a>'s purpose is to aid <a data-link-type="dfn" href="#relying-party" id="ref-for-relying-party②⓪②">Relying Parties</a> in detecting cloned authenticators. Clone detection is more important for authenticators with limited protection measures.</p> <p>Authenticators that do not implement a <a data-link-type="dfn" href="#signature-counter" id="ref-for-signature-counter⑥">signature counter</a> leave the <code><a data-link-type="dfn" href="#authdata-signcount" id="ref-for-authdata-signcount②">signCount</a></code> in the <a data-link-type="dfn" href="#authenticator-data" id="ref-for-authenticator-data③①">authenticator data</a> constant at zero.</p> - <p>A <a data-link-type="dfn" href="#relying-party" id="ref-for-relying-party②⓪②">Relying Party</a> stores the <a data-link-type="dfn" href="#signature-counter" id="ref-for-signature-counter⑦">signature counter</a> of the most recent <a data-link-type="dfn" href="#authenticatorgetassertion" id="ref-for-authenticatorgetassertion①⓪">authenticatorGetAssertion</a> operation. (Or the counter from the <a data-link-type="dfn" href="#authenticatormakecredential" id="ref-for-authenticatormakecredential①②">authenticatorMakeCredential</a> operation if no <a data-link-type="dfn" href="#authenticatorgetassertion" id="ref-for-authenticatorgetassertion①①">authenticatorGetAssertion</a> has ever been performed on a credential.) In subsequent <a data-link-type="dfn" href="#authenticatorgetassertion" id="ref-for-authenticatorgetassertion①②">authenticatorGetAssertion</a> operations, the <a data-link-type="dfn" href="#relying-party" id="ref-for-relying-party②⓪③">Relying Party</a> compares the stored <a data-link-type="dfn" href="#signature-counter" id="ref-for-signature-counter⑧">signature counter</a> value with the new <code><a data-link-type="dfn" href="#authdata-signcount" id="ref-for-authdata-signcount③">signCount</a></code> value returned in the assertion’s <a data-link-type="dfn" href="#authenticator-data" id="ref-for-authenticator-data③②">authenticator data</a>. If either is non-zero, and the new <code><a data-link-type="dfn" href="#authdata-signcount" id="ref-for-authdata-signcount④">signCount</a></code> value is less than or equal to the stored value, a cloned authenticator may exist, or the authenticator may be malfunctioning.</p> - <p>Detecting a <a data-link-type="dfn" href="#signature-counter" id="ref-for-signature-counter⑨">signature counter</a> mismatch does not indicate whether the current operation was performed by a cloned authenticator or the original authenticator. <a data-link-type="dfn" href="#relying-party" id="ref-for-relying-party②⓪④">Relying Parties</a> should address this situation appropriately relative to their individual situations, i.e., their risk tolerance.</p> + <p>A <a data-link-type="dfn" href="#relying-party" id="ref-for-relying-party②⓪③">Relying Party</a> stores the <a data-link-type="dfn" href="#signature-counter" id="ref-for-signature-counter⑦">signature counter</a> of the most recent <a data-link-type="dfn" href="#authenticatorgetassertion" id="ref-for-authenticatorgetassertion①⓪">authenticatorGetAssertion</a> operation. (Or the counter from the <a data-link-type="dfn" href="#authenticatormakecredential" id="ref-for-authenticatormakecredential①②">authenticatorMakeCredential</a> operation if no <a data-link-type="dfn" href="#authenticatorgetassertion" id="ref-for-authenticatorgetassertion①①">authenticatorGetAssertion</a> has ever been performed on a credential.) In subsequent <a data-link-type="dfn" href="#authenticatorgetassertion" id="ref-for-authenticatorgetassertion①②">authenticatorGetAssertion</a> operations, the <a data-link-type="dfn" href="#relying-party" id="ref-for-relying-party②⓪④">Relying Party</a> compares the stored <a data-link-type="dfn" href="#signature-counter" id="ref-for-signature-counter⑧">signature counter</a> value with the new <code><a data-link-type="dfn" href="#authdata-signcount" id="ref-for-authdata-signcount③">signCount</a></code> value returned in the assertion’s <a data-link-type="dfn" href="#authenticator-data" id="ref-for-authenticator-data③②">authenticator data</a>. If either is non-zero, and the new <code><a data-link-type="dfn" href="#authdata-signcount" id="ref-for-authdata-signcount④">signCount</a></code> value is less than or equal to the stored value, a cloned authenticator may exist, or the authenticator may be malfunctioning.</p> + <p>Detecting a <a data-link-type="dfn" href="#signature-counter" id="ref-for-signature-counter⑨">signature counter</a> mismatch does not indicate whether the current operation was performed by a cloned authenticator or the original authenticator. <a data-link-type="dfn" href="#relying-party" id="ref-for-relying-party②⓪⑤">Relying Parties</a> should address this situation appropriately relative to their individual situations, i.e., their risk tolerance.</p> <p>Authenticators:</p> <ul> <li data-md> - <p>SHOULD implement per credential <a data-link-type="dfn" href="#signature-counter" id="ref-for-signature-counter①⓪">signature counters</a>. This prevents the <a data-link-type="dfn" href="#signature-counter" id="ref-for-signature-counter①①">signature counter</a> value from being shared between <a data-link-type="dfn" href="#relying-party" id="ref-for-relying-party②⓪⑤">Relying Parties</a> and being possibly employed + <p>SHOULD implement per credential <a data-link-type="dfn" href="#signature-counter" id="ref-for-signature-counter①⓪">signature counters</a>. This prevents the <a data-link-type="dfn" href="#signature-counter" id="ref-for-signature-counter①①">signature counter</a> value from being shared between <a data-link-type="dfn" href="#relying-party" id="ref-for-relying-party②⓪⑥">Relying Parties</a> and being possibly employed as a correlation handle for the user. Authenticators MAY implement a global <a data-link-type="dfn" href="#signature-counter" id="ref-for-signature-counter①②">signature counter</a>, i.e., on a per-authenticator basis, but this is less privacy-friendly for users.</p> <li data-md> @@ -5362,25 +5365,25 @@ <h4 class="heading settled" data-level="6.1.3" id="sctn-credential-backup"><span </table> <figcaption> <a data-link-type="dfn" href="#authdata-flags-be" id="ref-for-authdata-flags-be⑤">BE</a> and <a data-link-type="dfn" href="#authdata-flags-bs" id="ref-for-authdata-flags-bs⑥">BS</a> <a data-link-type="dfn" href="#authdata-flags" id="ref-for-authdata-flags②⑨">flag</a> combinations </figcaption> </figure> - <p>It is RECOMMENDED that <a data-link-type="dfn" href="#relying-party" id="ref-for-relying-party②⓪⑥">Relying Parties</a> store the most recent value of these <a data-link-type="dfn" href="#authdata-flags" id="ref-for-authdata-flags③⓪">flags</a> with the <a data-link-type="dfn" href="#user-account" id="ref-for-user-account②⑨">user account</a> for future evaluation.</p> - <p>The following is a non-exhaustive list of how <a data-link-type="dfn" href="#relying-party" id="ref-for-relying-party②⓪⑦">Relying Parties</a> might use these <a data-link-type="dfn" href="#authdata-flags" id="ref-for-authdata-flags③①">flags</a>:</p> + <p>It is RECOMMENDED that <a data-link-type="dfn" href="#relying-party" id="ref-for-relying-party②⓪⑦">Relying Parties</a> store the most recent value of these <a data-link-type="dfn" href="#authdata-flags" id="ref-for-authdata-flags③⓪">flags</a> with the <a data-link-type="dfn" href="#user-account" id="ref-for-user-account②⑨">user account</a> for future evaluation.</p> + <p>The following is a non-exhaustive list of how <a data-link-type="dfn" href="#relying-party" id="ref-for-relying-party②⓪⑧">Relying Parties</a> might use these <a data-link-type="dfn" href="#authdata-flags" id="ref-for-authdata-flags③①">flags</a>:</p> <ul> <li data-md> <p>Requiring additional <a data-link-type="dfn" href="#authenticator" id="ref-for-authenticator①⑥⓪">authenticators</a>:</p> <p>When the <a data-link-type="dfn" href="#authdata-flags-be" id="ref-for-authdata-flags-be⑥">BE</a> <a data-link-type="dfn" href="#authdata-flags" id="ref-for-authdata-flags③②">flag</a> is set to <code>0</code>, the credential is a <a data-link-type="dfn" href="#single-device-credential" id="ref-for-single-device-credential②">single-device credential</a> and the <a data-link-type="dfn" href="#generating-authenticator" id="ref-for-generating-authenticator③">generating authenticator</a> will never allow the credential to be backed up.</p> - <p>A <a data-link-type="dfn" href="#single-device-credential" id="ref-for-single-device-credential③">single-device credential</a> is not resilient to single device loss. <a data-link-type="dfn" href="#relying-party" id="ref-for-relying-party②⓪⑧">Relying Parties</a> SHOULD ensure that each <a data-link-type="dfn" href="#user-account" id="ref-for-user-account③⓪">user account</a> has additional <a data-link-type="dfn" href="#authenticator" id="ref-for-authenticator①⑥①">authenticators</a> <a data-link-type="dfn" href="#registration-ceremony" id="ref-for-registration-ceremony①⓪">registered</a> and/or an account recovery process in place. + <p>A <a data-link-type="dfn" href="#single-device-credential" id="ref-for-single-device-credential③">single-device credential</a> is not resilient to single device loss. <a data-link-type="dfn" href="#relying-party" id="ref-for-relying-party②⓪⑨">Relying Parties</a> SHOULD ensure that each <a data-link-type="dfn" href="#user-account" id="ref-for-user-account③⓪">user account</a> has additional <a data-link-type="dfn" href="#authenticator" id="ref-for-authenticator①⑥①">authenticators</a> <a data-link-type="dfn" href="#registration-ceremony" id="ref-for-registration-ceremony①⓪">registered</a> and/or an account recovery process in place. For example, the user could be prompted to set up an additional <a data-link-type="dfn" href="#authenticator" id="ref-for-authenticator①⑥②">authenticator</a>, such as a <a data-link-type="dfn" href="#roaming-authenticators" id="ref-for-roaming-authenticators⑦">roaming authenticator</a> or an <a data-link-type="dfn" href="#authenticator" id="ref-for-authenticator①⑥③">authenticator</a> that is capable of <a data-link-type="dfn" href="#multi-device-credential" id="ref-for-multi-device-credential⑥">multi-device credentials</a>.</p> <li data-md> <p>Upgrading a user to a password-free account:</p> <p>When the <a data-link-type="dfn" href="#authdata-flags-bs" id="ref-for-authdata-flags-bs⑦">BS</a> <a data-link-type="dfn" href="#authdata-flags" id="ref-for-authdata-flags③③">flag</a> changes from <code>0</code> to <code>1</code>, the <a data-link-type="dfn" href="#authenticator" id="ref-for-authenticator①⑥④">authenticator</a> is signaling that the <a data-link-type="dfn" href="https://w3c.github.io/webappsec-credential-management/#concept-credential" id="ref-for-concept-credential①⑨">credential</a> is backed up and is protected from single device loss.</p> - <p>The <a data-link-type="dfn" href="#relying-party" id="ref-for-relying-party②⓪⑨">Relying Party</a> MAY choose to prompt the user to upgrade their account security and remove their password.</p> + <p>The <a data-link-type="dfn" href="#relying-party" id="ref-for-relying-party②①⓪">Relying Party</a> MAY choose to prompt the user to upgrade their account security and remove their password.</p> <li data-md> <p>Adding an additional factor after a state change:</p> <p>When the <a data-link-type="dfn" href="#authdata-flags-bs" id="ref-for-authdata-flags-bs⑧">BS</a> <a data-link-type="dfn" href="#authdata-flags" id="ref-for-authdata-flags③④">flag</a> changes from <code>1</code> to <code>0</code>, the <a data-link-type="dfn" href="#authenticator" id="ref-for-authenticator①⑥⑤">authenticator</a> is signaling that the <a data-link-type="dfn" href="https://w3c.github.io/webappsec-credential-management/#concept-credential" id="ref-for-concept-credential②⓪">credential</a> is no longer backed up, and no longer protected from single device loss. This could be the result of the user actions, such as disabling the backup service, or errors, such as issues with the backup service.</p> - <p>When this transition occurs, the <a data-link-type="dfn" href="#relying-party" id="ref-for-relying-party②①⓪">Relying Party</a> SHOULD guide the user through a process to validate their other authentication factors. + <p>When this transition occurs, the <a data-link-type="dfn" href="#relying-party" id="ref-for-relying-party②①①">Relying Party</a> SHOULD guide the user through a process to validate their other authentication factors. If the user does not have another credential for their account, they SHOULD be guided through adding an additional credential to ensure they do not lose access to their account. For example, the user could be prompted to set up an additional <a data-link-type="dfn" href="#authenticator" id="ref-for-authenticator①⑥⑥">authenticator</a>, such as a <a data-link-type="dfn" href="#roaming-authenticators" id="ref-for-roaming-authenticators⑧">roaming authenticator</a> or an <a data-link-type="dfn" href="#authenticator" id="ref-for-authenticator①⑥⑦">authenticator</a> that is capable of <a data-link-type="dfn" href="#multi-device-credential" id="ref-for-multi-device-credential⑦">multi-device credentials</a>.</p> @@ -5410,7 +5413,7 @@ <h3 class="heading settled" data-level="6.2" id="sctn-authenticator-taxonomy"><s <li data-md> <p>Whether the <a data-link-type="dfn" href="#authenticator" id="ref-for-authenticator①⑦①">authenticator</a> is a <a data-link-type="dfn" href="#roaming-authenticators" id="ref-for-roaming-authenticators①①">roaming</a> or <a data-link-type="dfn" href="#platform-authenticators" id="ref-for-platform-authenticators①⑧">platform</a> authenticator, or in some cases both — the <a data-link-type="dfn" href="#authenticator-attachment-modality" id="ref-for-authenticator-attachment-modality①①">authenticator attachment modality</a>. -A <a data-link-type="dfn" href="#roaming-authenticators" id="ref-for-roaming-authenticators①②">roaming authenticator</a> can support one or more <a href="#enum-transport">transports</a> for communicating with the <a data-link-type="dfn" href="#client" id="ref-for-client⑧①">client</a>.</p> +A <a data-link-type="dfn" href="#roaming-authenticators" id="ref-for-roaming-authenticators①②">roaming authenticator</a> can support one or more <a href="#enum-transport">transports</a> for communicating with the <a data-link-type="dfn" href="#client" id="ref-for-client⑧②">client</a>.</p> <li data-md> <p>Whether the authenticator is capable of <a data-link-type="dfn" href="#user-verification" id="ref-for-user-verification③⑤">user verification</a> — the <a data-link-type="dfn" href="#authentication-factor-capability" id="ref-for-authentication-factor-capability">authentication factor capability</a>.</p> <li data-md> @@ -5465,7 +5468,7 @@ <h3 class="heading settled" data-level="6.2" id="sctn-authenticator-taxonomy"><s these authenticators support <a data-link-type="dfn" href="#user-verification" id="ref-for-user-verification③⑥">user verification</a> as a second <a data-link-type="dfn" href="https://pages.nist.gov/800-63-3/sp800-63-3.html#af" id="ref-for-af⑦">authentication factor</a>, typically a PIN or <a data-link-type="dfn" href="#biometric-recognition" id="ref-for-biometric-recognition③">biometric recognition</a>. The <a data-link-type="dfn" href="#authenticator" id="ref-for-authenticator①⑦②">authenticator</a> can thus act as two kinds of <a data-link-type="dfn" href="https://pages.nist.gov/800-63-3/sp800-63-3.html#af" id="ref-for-af⑧">authentication factor</a>, -which enables <a data-link-type="dfn" href="https://pages.nist.gov/800-63-3/sp800-63-3.html#af" id="ref-for-af⑨">multi-factor</a> authentication while eliminating the need to share a password with the <a data-link-type="dfn" href="#relying-party" id="ref-for-relying-party②①①">Relying Party</a>. +which enables <a data-link-type="dfn" href="https://pages.nist.gov/800-63-3/sp800-63-3.html#af" id="ref-for-af⑨">multi-factor</a> authentication while eliminating the need to share a password with the <a data-link-type="dfn" href="#relying-party" id="ref-for-relying-party②①②">Relying Party</a>. These authenticators also support <a data-link-type="dfn" href="#discoverable-credential" id="ref-for-discoverable-credential①④">discoverable credentials</a>, also called <a data-link-type="dfn" href="#passkey" id="ref-for-passkey">passkeys</a>, meaning they also enable authentication flows where username input is not necessary.</p> <p>The <a data-link-type="dfn" href="#user-verifying-platform-authenticator" id="ref-for-user-verifying-platform-authenticator⑥">user-verifying platform authenticator</a> class is largely obsoleted by the <a data-link-type="dfn" href="#passkey-platform-authenticator" id="ref-for-passkey-platform-authenticator②">passkey platform authenticator</a> class, @@ -5482,7 +5485,7 @@ <h3 class="heading settled" data-level="6.2" id="sctn-authenticator-taxonomy"><s </ul> <p>The following subsections define the aspects <a data-link-type="dfn" href="#authenticator-attachment-modality" id="ref-for-authenticator-attachment-modality①③">authenticator attachment modality</a>, <a data-link-type="dfn" href="#credential-storage-modality" id="ref-for-credential-storage-modality②">credential storage modality</a> and <a data-link-type="dfn" href="#authentication-factor-capability" id="ref-for-authentication-factor-capability②">authentication factor capability</a> in more depth.</p> <h4 class="heading settled" data-level="6.2.1" id="sctn-authenticator-attachment-modality"><span class="secno">6.2.1. </span><span class="content"><dfn class="dfn-paneled" data-dfn-type="dfn" data-noexport id="authenticator-attachment-modality">Authenticator Attachment Modality</dfn></span><a class="self-link" href="#sctn-authenticator-attachment-modality"></a></h4> - <p><a data-link-type="dfn" href="#client" id="ref-for-client⑧②">Clients</a> can communicate with <a data-link-type="dfn" href="#authenticator" id="ref-for-authenticator①⑦④">authenticators</a> using a variety of mechanisms. For example, a <a data-link-type="dfn" href="#client" id="ref-for-client⑧③">client</a> MAY use a <a data-link-type="dfn" href="#client-device" id="ref-for-client-device③⓪">client device</a>-specific API to communicate with an <a data-link-type="dfn" href="#authenticator" id="ref-for-authenticator①⑦⑤">authenticator</a> which is physically bound to a <a data-link-type="dfn" href="#client-device" id="ref-for-client-device③①">client device</a>. On the other hand, a <a data-link-type="dfn" href="#client" id="ref-for-client⑧④">client</a> can use a variety of standardized cross-platform transport protocols such as Bluetooth (see <a href="#enum-transport">§ 5.8.4 Authenticator Transport Enumeration (enum AuthenticatorTransport)</a>) to discover + <p><a data-link-type="dfn" href="#client" id="ref-for-client⑧③">Clients</a> can communicate with <a data-link-type="dfn" href="#authenticator" id="ref-for-authenticator①⑦④">authenticators</a> using a variety of mechanisms. For example, a <a data-link-type="dfn" href="#client" id="ref-for-client⑧④">client</a> MAY use a <a data-link-type="dfn" href="#client-device" id="ref-for-client-device③⓪">client device</a>-specific API to communicate with an <a data-link-type="dfn" href="#authenticator" id="ref-for-authenticator①⑦⑤">authenticator</a> which is physically bound to a <a data-link-type="dfn" href="#client-device" id="ref-for-client-device③①">client device</a>. On the other hand, a <a data-link-type="dfn" href="#client" id="ref-for-client⑧⑤">client</a> can use a variety of standardized cross-platform transport protocols such as Bluetooth (see <a href="#enum-transport">§ 5.8.4 Authenticator Transport Enumeration (enum AuthenticatorTransport)</a>) to discover and communicate with <a data-link-type="dfn" href="#cross-platform-attachment" id="ref-for-cross-platform-attachment⑤">cross-platform attached</a> <a data-link-type="dfn" href="#authenticator" id="ref-for-authenticator①⑦⑥">authenticators</a>. We refer to <a data-link-type="dfn" href="#authenticator" id="ref-for-authenticator①⑦⑦">authenticators</a> that are part of the <a data-link-type="dfn" href="#client-device" id="ref-for-client-device③②">client device</a> as <dfn class="dfn-paneled" data-dfn-type="dfn" data-noexport id="platform-authenticators">platform authenticators</dfn>, while those that are reachable via cross-platform transport protocols are referred to as <dfn class="dfn-paneled" data-dfn-type="dfn" data-noexport id="roaming-authenticators">roaming authenticators</dfn>.</p> @@ -5497,8 +5500,8 @@ <h4 class="heading settled" data-level="6.2.1" id="sctn-authenticator-attachment </ul> <p>Some <a data-link-type="dfn" href="#platform-authenticators" id="ref-for-platform-authenticators②①">platform authenticators</a> could possibly also act as <a data-link-type="dfn" href="#roaming-authenticators" id="ref-for-roaming-authenticators①⑦">roaming authenticators</a> depending on context. For example, a <a data-link-type="dfn" href="#platform-authenticators" id="ref-for-platform-authenticators②②">platform authenticator</a> integrated into a mobile device could make itself available as a <a data-link-type="dfn" href="#roaming-authenticators" id="ref-for-roaming-authenticators①⑧">roaming authenticator</a> via Bluetooth. -In this case <a data-link-type="dfn" href="#client" id="ref-for-client⑧⑤">clients</a> running on the mobile device would recognise the authenticator as a <a data-link-type="dfn" href="#platform-authenticators" id="ref-for-platform-authenticators②③">platform authenticator</a>, -while <a data-link-type="dfn" href="#client" id="ref-for-client⑧⑥">clients</a> running on a different <a data-link-type="dfn" href="#client-device" id="ref-for-client-device③⑥">client device</a> and communicating with the same authenticator via Bluetooth +In this case <a data-link-type="dfn" href="#client" id="ref-for-client⑧⑥">clients</a> running on the mobile device would recognise the authenticator as a <a data-link-type="dfn" href="#platform-authenticators" id="ref-for-platform-authenticators②③">platform authenticator</a>, +while <a data-link-type="dfn" href="#client" id="ref-for-client⑧⑦">clients</a> running on a different <a data-link-type="dfn" href="#client-device" id="ref-for-client-device③⑥">client device</a> and communicating with the same authenticator via Bluetooth would recognize it as a <a data-link-type="dfn" href="#roaming-authenticators" id="ref-for-roaming-authenticators①⑨">roaming authenticator</a>.</p> <p>The primary use case for <a data-link-type="dfn" href="#platform-authenticators" id="ref-for-platform-authenticators②④">platform authenticators</a> is to register a particular <a data-link-type="dfn" href="#client-device" id="ref-for-client-device③⑦">client device</a> as a "trusted device", so the <a data-link-type="dfn" href="#client-device" id="ref-for-client-device③⑧">client device</a> itself acts as a <a data-link-type="dfn" href="https://pages.nist.gov/800-63-3/sp800-63-3.html#af" id="ref-for-af①②">something you have</a> <a data-link-type="dfn" href="https://pages.nist.gov/800-63-3/sp800-63-3.html#af" id="ref-for-af①③">authentication factor</a> for future <a data-link-type="dfn" href="#authentication" id="ref-for-authentication①①">authentication</a>. @@ -5515,12 +5518,12 @@ <h4 class="heading settled" data-level="6.2.2" id="sctn-credential-storage-modal <p>An <a data-link-type="dfn" href="#authenticator" id="ref-for-authenticator①⑧⓪">authenticator</a> can store a <a data-link-type="dfn" href="#public-key-credential-source" id="ref-for-public-key-credential-source⑤⑥">public key credential source</a> in one of two ways:</p> <ol> <li data-md> - <p>In persistent storage embedded in the <a data-link-type="dfn" href="#authenticator" id="ref-for-authenticator①⑧①">authenticator</a>, <a data-link-type="dfn" href="#client" id="ref-for-client⑧⑦">client</a> or <a data-link-type="dfn" href="#client-device" id="ref-for-client-device④④">client device</a>, e.g., in a secure element. + <p>In persistent storage embedded in the <a data-link-type="dfn" href="#authenticator" id="ref-for-authenticator①⑧①">authenticator</a>, <a data-link-type="dfn" href="#client" id="ref-for-client⑧⑧">client</a> or <a data-link-type="dfn" href="#client-device" id="ref-for-client-device④④">client device</a>, e.g., in a secure element. This is a technical requirement for a <a data-link-type="dfn" href="#client-side-discoverable-public-key-credential-source" id="ref-for-client-side-discoverable-public-key-credential-source③">client-side discoverable public key credential source</a>.</p> <li data-md> <p>By encrypting (i.e., wrapping) the <a data-link-type="dfn" href="#public-key-credential-source" id="ref-for-public-key-credential-source⑤⑦">public key credential source</a> such that only this <a data-link-type="dfn" href="#authenticator" id="ref-for-authenticator①⑧②">authenticator</a> can decrypt (i.e., unwrap) it and letting the resulting -ciphertext be the <a data-link-type="dfn" href="#credential-id" id="ref-for-credential-id③⓪">credential ID</a> of the <a data-link-type="dfn" href="#public-key-credential-source" id="ref-for-public-key-credential-source⑤⑧">public key credential source</a>. The <a data-link-type="dfn" href="#credential-id" id="ref-for-credential-id③①">credential ID</a> is stored by the <a data-link-type="dfn" href="#relying-party" id="ref-for-relying-party②①②">Relying Party</a> and returned to the <a data-link-type="dfn" href="#authenticator" id="ref-for-authenticator①⑧③">authenticator</a> via the <code class="idl"><a data-link-type="idl" href="#dom-publickeycredentialrequestoptions-allowcredentials" id="ref-for-dom-publickeycredentialrequestoptions-allowcredentials①⑨">allowCredentials</a></code> option of <code class="idl"><a data-link-type="idl" href="https://w3c.github.io/webappsec-credential-management/#dom-credentialscontainer-get" id="ref-for-dom-credentialscontainer-get③⓪">get()</a></code>, which allows the <a data-link-type="dfn" href="#authenticator" id="ref-for-authenticator①⑧④">authenticator</a> to decrypt and use the <a data-link-type="dfn" href="#public-key-credential-source" id="ref-for-public-key-credential-source⑤⑨">public key credential source</a>.</p> - <p>This enables the <a data-link-type="dfn" href="#authenticator" id="ref-for-authenticator①⑧⑤">authenticator</a> to have unlimited credential storage capacity, since the encrypted <a data-link-type="dfn" href="#public-key-credential-source" id="ref-for-public-key-credential-source⑥⓪">public key credential sources</a> are stored by the <a data-link-type="dfn" href="#relying-party" id="ref-for-relying-party②①③">Relying Party</a> instead of by the <a data-link-type="dfn" href="#authenticator" id="ref-for-authenticator①⑧⑥">authenticator</a> - but it means that a <a data-link-type="dfn" href="https://w3c.github.io/webappsec-credential-management/#concept-credential" id="ref-for-concept-credential②①">credential</a> stored in this way must be retrieved from the <a data-link-type="dfn" href="#relying-party" id="ref-for-relying-party②①④">Relying Party</a> before the <a data-link-type="dfn" href="#authenticator" id="ref-for-authenticator①⑧⑦">authenticator</a> can use it.</p> +ciphertext be the <a data-link-type="dfn" href="#credential-id" id="ref-for-credential-id③⓪">credential ID</a> of the <a data-link-type="dfn" href="#public-key-credential-source" id="ref-for-public-key-credential-source⑤⑧">public key credential source</a>. The <a data-link-type="dfn" href="#credential-id" id="ref-for-credential-id③①">credential ID</a> is stored by the <a data-link-type="dfn" href="#relying-party" id="ref-for-relying-party②①③">Relying Party</a> and returned to the <a data-link-type="dfn" href="#authenticator" id="ref-for-authenticator①⑧③">authenticator</a> via the <code class="idl"><a data-link-type="idl" href="#dom-publickeycredentialrequestoptions-allowcredentials" id="ref-for-dom-publickeycredentialrequestoptions-allowcredentials①⑨">allowCredentials</a></code> option of <code class="idl"><a data-link-type="idl" href="https://w3c.github.io/webappsec-credential-management/#dom-credentialscontainer-get" id="ref-for-dom-credentialscontainer-get③⓪">get()</a></code>, which allows the <a data-link-type="dfn" href="#authenticator" id="ref-for-authenticator①⑧④">authenticator</a> to decrypt and use the <a data-link-type="dfn" href="#public-key-credential-source" id="ref-for-public-key-credential-source⑤⑨">public key credential source</a>.</p> + <p>This enables the <a data-link-type="dfn" href="#authenticator" id="ref-for-authenticator①⑧⑤">authenticator</a> to have unlimited credential storage capacity, since the encrypted <a data-link-type="dfn" href="#public-key-credential-source" id="ref-for-public-key-credential-source⑥⓪">public key credential sources</a> are stored by the <a data-link-type="dfn" href="#relying-party" id="ref-for-relying-party②①④">Relying Party</a> instead of by the <a data-link-type="dfn" href="#authenticator" id="ref-for-authenticator①⑧⑥">authenticator</a> - but it means that a <a data-link-type="dfn" href="https://w3c.github.io/webappsec-credential-management/#concept-credential" id="ref-for-concept-credential②①">credential</a> stored in this way must be retrieved from the <a data-link-type="dfn" href="#relying-party" id="ref-for-relying-party②①⑤">Relying Party</a> before the <a data-link-type="dfn" href="#authenticator" id="ref-for-authenticator①⑧⑦">authenticator</a> can use it.</p> </ol> <p>Which of these storage strategies an <a data-link-type="dfn" href="#authenticator" id="ref-for-authenticator①⑧⑧">authenticator</a> supports defines the <a data-link-type="dfn" href="#authenticator" id="ref-for-authenticator①⑧⑨">authenticator</a>'s <dfn class="dfn-paneled" data-dfn-type="dfn" data-lt="credential storage modality" data-noexport id="credential-storage-modality">credential storage modality</dfn> as follows:</p> @@ -5543,8 +5546,8 @@ <h4 class="heading settled" data-level="6.2.3" id="sctn-authentication-factor-ca verification</a> can also act as one or two additional kinds of <a data-link-type="dfn" href="https://pages.nist.gov/800-63-3/sp800-63-3.html#af" id="ref-for-af①⑨">authentication factor</a>. For example, if the <a data-link-type="dfn" href="#authenticator" id="ref-for-authenticator①⑨⑥">authenticator</a> can verify a PIN, the PIN is <a data-link-type="dfn" href="https://pages.nist.gov/800-63-3/sp800-63-3.html#af" id="ref-for-af②⓪">something you know</a>, and a <a data-link-type="dfn" href="#biometric-authenticator" id="ref-for-biometric-authenticator">biometric authenticator</a> can verify <a data-link-type="dfn" href="https://pages.nist.gov/800-63-3/sp800-63-3.html#af" id="ref-for-af②①">something you are</a>. Therefore, an <a data-link-type="dfn" href="#authenticator" id="ref-for-authenticator①⑨⑦">authenticator</a> that supports <a data-link-type="dfn" href="#user-verification" id="ref-for-user-verification③⑧">user verification</a> is <dfn class="dfn-paneled" data-dfn-type="dfn" data-noexport id="multi-factor-capable">multi-factor capable</dfn>. Conversely, an <a data-link-type="dfn" href="#authenticator" id="ref-for-authenticator①⑨⑧">authenticator</a> that is not <a data-link-type="dfn" href="#multi-factor-capable" id="ref-for-multi-factor-capable⑤">multi-factor capable</a> is <dfn class="dfn-paneled" data-dfn-type="dfn" data-noexport id="single-factor-capable">single-factor capable</dfn>. Note that a single <a data-link-type="dfn" href="#multi-factor-capable" id="ref-for-multi-factor-capable⑥">multi-factor capable</a> <a data-link-type="dfn" href="#authenticator" id="ref-for-authenticator①⑨⑨">authenticator</a> could support several modes of <a data-link-type="dfn" href="#user-verification" id="ref-for-user-verification③⑨">user verification</a>, meaning it could act as all three kinds of <a data-link-type="dfn" href="https://pages.nist.gov/800-63-3/sp800-63-3.html#af" id="ref-for-af②②">authentication factor</a>.</p> - <p>Although <a data-link-type="dfn" href="#user-verification" id="ref-for-user-verification④⓪">user verification</a> is performed locally on the <a data-link-type="dfn" href="#authenticator" id="ref-for-authenticator②⓪⓪">authenticator</a> and not by the <a data-link-type="dfn" href="#relying-party" id="ref-for-relying-party②①⑤">Relying Party</a>, the <a data-link-type="dfn" href="#authenticator" id="ref-for-authenticator②⓪①">authenticator</a> indicates if <a data-link-type="dfn" href="#user-verification" id="ref-for-user-verification④①">user verification</a> was performed by setting the <a data-link-type="dfn" href="#authdata-flags-uv" id="ref-for-authdata-flags-uv⑨">UV</a> <a data-link-type="dfn" href="#authdata-flags" id="ref-for-authdata-flags③⑤">flag</a> in the signed response returned to the <a data-link-type="dfn" href="#relying-party" id="ref-for-relying-party②①⑥">Relying Party</a>. -The <a data-link-type="dfn" href="#relying-party" id="ref-for-relying-party②①⑦">Relying Party</a> can therefore use the <a data-link-type="dfn" href="#authdata-flags-uv" id="ref-for-authdata-flags-uv①⓪">UV</a> <a data-link-type="dfn" href="#authdata-flags" id="ref-for-authdata-flags③⑥">flag</a> to verify that additional <a data-link-type="dfn" href="https://pages.nist.gov/800-63-3/sp800-63-3.html#af" id="ref-for-af②③">authentication factors</a> were used in a <a data-link-type="dfn" href="#registration" id="ref-for-registration①⑧">registration</a> or <a data-link-type="dfn" href="#authentication-ceremony" id="ref-for-authentication-ceremony②⑨">authentication ceremony</a>. The authenticity of the <a data-link-type="dfn" href="#authdata-flags-uv" id="ref-for-authdata-flags-uv①①">UV</a> <a data-link-type="dfn" href="#authdata-flags" id="ref-for-authdata-flags③⑦">flag</a> can in turn be assessed by inspecting the <a data-link-type="dfn" href="#authenticator" id="ref-for-authenticator②⓪②">authenticator</a>'s <a data-link-type="dfn" href="#attestation-statement" id="ref-for-attestation-statement①⑧">attestation statement</a>.</p> + <p>Although <a data-link-type="dfn" href="#user-verification" id="ref-for-user-verification④⓪">user verification</a> is performed locally on the <a data-link-type="dfn" href="#authenticator" id="ref-for-authenticator②⓪⓪">authenticator</a> and not by the <a data-link-type="dfn" href="#relying-party" id="ref-for-relying-party②①⑥">Relying Party</a>, the <a data-link-type="dfn" href="#authenticator" id="ref-for-authenticator②⓪①">authenticator</a> indicates if <a data-link-type="dfn" href="#user-verification" id="ref-for-user-verification④①">user verification</a> was performed by setting the <a data-link-type="dfn" href="#authdata-flags-uv" id="ref-for-authdata-flags-uv⑨">UV</a> <a data-link-type="dfn" href="#authdata-flags" id="ref-for-authdata-flags③⑤">flag</a> in the signed response returned to the <a data-link-type="dfn" href="#relying-party" id="ref-for-relying-party②①⑦">Relying Party</a>. +The <a data-link-type="dfn" href="#relying-party" id="ref-for-relying-party②①⑧">Relying Party</a> can therefore use the <a data-link-type="dfn" href="#authdata-flags-uv" id="ref-for-authdata-flags-uv①⓪">UV</a> <a data-link-type="dfn" href="#authdata-flags" id="ref-for-authdata-flags③⑥">flag</a> to verify that additional <a data-link-type="dfn" href="https://pages.nist.gov/800-63-3/sp800-63-3.html#af" id="ref-for-af②③">authentication factors</a> were used in a <a data-link-type="dfn" href="#registration" id="ref-for-registration①⑧">registration</a> or <a data-link-type="dfn" href="#authentication-ceremony" id="ref-for-authentication-ceremony②⑨">authentication ceremony</a>. The authenticity of the <a data-link-type="dfn" href="#authdata-flags-uv" id="ref-for-authdata-flags-uv①①">UV</a> <a data-link-type="dfn" href="#authdata-flags" id="ref-for-authdata-flags③⑦">flag</a> can in turn be assessed by inspecting the <a data-link-type="dfn" href="#authenticator" id="ref-for-authenticator②⓪②">authenticator</a>'s <a data-link-type="dfn" href="#attestation-statement" id="ref-for-attestation-statement①⑧">attestation statement</a>.</p> <h3 class="heading settled" data-level="6.3" id="sctn-authenticator-ops"><span class="secno">6.3. </span><span class="content"><dfn class="dfn-paneled" data-dfn-type="dfn" data-noexport id="authenticator-operations">Authenticator Operations</dfn></span><a class="self-link" href="#sctn-authenticator-ops"></a></h3> <p>A <a data-link-type="dfn" href="#webauthn-client" id="ref-for-webauthn-client①⑨">WebAuthn Client</a> MUST connect to an authenticator in order to invoke any of the operations of that authenticator. This connection defines an <dfn class="dfn-paneled" data-dfn-type="dfn" data-noexport id="authenticator-session">authenticator session</dfn>. An authenticator must maintain isolation between sessions. It may do this by only allowing one @@ -5578,26 +5581,26 @@ <h4 class="heading settled" data-level="6.3.2" id="sctn-op-make-cred"><span clas <p>The <a data-link-type="dfn" href="#collectedclientdata-hash-of-the-serialized-client-data" id="ref-for-collectedclientdata-hash-of-the-serialized-client-data⑨">hash of the serialized client data</a>, provided by the client.</p> <dt data-md><var>rpEntity</var> <dd data-md> - <p>The <a data-link-type="dfn" href="#relying-party" id="ref-for-relying-party②①⑧">Relying Party</a>'s <code class="idl"><a data-link-type="idl" href="#dictdef-publickeycredentialrpentity" id="ref-for-dictdef-publickeycredentialrpentity⑥">PublicKeyCredentialRpEntity</a></code>.</p> + <p>The <a data-link-type="dfn" href="#relying-party" id="ref-for-relying-party②①⑨">Relying Party</a>'s <code class="idl"><a data-link-type="idl" href="#dictdef-publickeycredentialrpentity" id="ref-for-dictdef-publickeycredentialrpentity⑥">PublicKeyCredentialRpEntity</a></code>.</p> <dt data-md><var>userEntity</var> <dd data-md> - <p>The <a data-link-type="dfn" href="#user-account" id="ref-for-user-account③①">user account’s</a> <code class="idl"><a data-link-type="idl" href="#dictdef-publickeycredentialuserentity" id="ref-for-dictdef-publickeycredentialuserentity⑤">PublicKeyCredentialUserEntity</a></code>, containing the <a data-link-type="dfn" href="#user-handle" id="ref-for-user-handle②②">user handle</a> given by the <a data-link-type="dfn" href="#relying-party" id="ref-for-relying-party②①⑨">Relying Party</a>.</p> + <p>The <a data-link-type="dfn" href="#user-account" id="ref-for-user-account③①">user account’s</a> <code class="idl"><a data-link-type="idl" href="#dictdef-publickeycredentialuserentity" id="ref-for-dictdef-publickeycredentialuserentity⑤">PublicKeyCredentialUserEntity</a></code>, containing the <a data-link-type="dfn" href="#user-handle" id="ref-for-user-handle②②">user handle</a> given by the <a data-link-type="dfn" href="#relying-party" id="ref-for-relying-party②②⓪">Relying Party</a>.</p> <dt data-md><var>requireResidentKey</var> <dd data-md> - <p>The <a data-link-type="dfn" href="#effective-resident-key-requirement-for-credential-creation" id="ref-for-effective-resident-key-requirement-for-credential-creation">effective resident key requirement for credential creation</a>, a Boolean value determined by the <a data-link-type="dfn" href="#client" id="ref-for-client⑧⑧">client</a>.</p> + <p>The <a data-link-type="dfn" href="#effective-resident-key-requirement-for-credential-creation" id="ref-for-effective-resident-key-requirement-for-credential-creation">effective resident key requirement for credential creation</a>, a Boolean value determined by the <a data-link-type="dfn" href="#client" id="ref-for-client⑧⑨">client</a>.</p> <dt data-md><var>requireUserPresence</var> <dd data-md> <p>The constant Boolean value <code>true</code>, or <var>FALSE</var> when <code><var>options</var>.<code class="idl"><a data-link-type="idl" href="https://w3c.github.io/webappsec-credential-management/#dom-credentialcreationoptions-mediation" id="ref-for-dom-credentialcreationoptions-mediation⑥">mediation</a></code></code> is set to <code class="idl"><a data-link-type="idl" href="https://w3c.github.io/webappsec-credential-management/#dom-credentialmediationrequirement-conditional" id="ref-for-dom-credentialmediationrequirement-conditional②③">conditional</a></code> and the user agent previously collected consent from the user.</p> <dt data-md><var>requireUserVerification</var> <dd data-md> - <p>The <a data-link-type="dfn" href="#effective-user-verification-requirement-for-credential-creation" id="ref-for-effective-user-verification-requirement-for-credential-creation">effective user verification requirement for credential creation</a>, a Boolean value determined by the <a data-link-type="dfn" href="#client" id="ref-for-client⑧⑨">client</a>.</p> + <p>The <a data-link-type="dfn" href="#effective-user-verification-requirement-for-credential-creation" id="ref-for-effective-user-verification-requirement-for-credential-creation">effective user verification requirement for credential creation</a>, a Boolean value determined by the <a data-link-type="dfn" href="#client" id="ref-for-client⑨⓪">client</a>.</p> <dt data-md><var>credTypesAndPubKeyAlgs</var> <dd data-md> - <p>A sequence of pairs of <code class="idl"><a data-link-type="idl" href="#enumdef-publickeycredentialtype" id="ref-for-enumdef-publickeycredentialtype⑧">PublicKeyCredentialType</a></code> and public key algorithms (<code class="idl"><a data-link-type="idl" href="#typedefdef-cosealgorithmidentifier" id="ref-for-typedefdef-cosealgorithmidentifier①②">COSEAlgorithmIdentifier</a></code>) requested by the <a data-link-type="dfn" href="#relying-party" id="ref-for-relying-party②②⓪">Relying Party</a>. This sequence is ordered from most preferred to least preferred. The <a data-link-type="dfn" href="#authenticator" id="ref-for-authenticator②⓪④">authenticator</a> makes a best-effort to create the most + <p>A sequence of pairs of <code class="idl"><a data-link-type="idl" href="#enumdef-publickeycredentialtype" id="ref-for-enumdef-publickeycredentialtype⑧">PublicKeyCredentialType</a></code> and public key algorithms (<code class="idl"><a data-link-type="idl" href="#typedefdef-cosealgorithmidentifier" id="ref-for-typedefdef-cosealgorithmidentifier①②">COSEAlgorithmIdentifier</a></code>) requested by the <a data-link-type="dfn" href="#relying-party" id="ref-for-relying-party②②①">Relying Party</a>. This sequence is ordered from most preferred to least preferred. The <a data-link-type="dfn" href="#authenticator" id="ref-for-authenticator②⓪④">authenticator</a> makes a best-effort to create the most preferred credential that it can.</p> <dt data-md><var>excludeCredentialDescriptorList</var> <dd data-md> - <p>An OPTIONAL list of <code class="idl"><a data-link-type="idl" href="#dictdef-publickeycredentialdescriptor" id="ref-for-dictdef-publickeycredentialdescriptor①②">PublicKeyCredentialDescriptor</a></code> objects provided by the <a data-link-type="dfn" href="#relying-party" id="ref-for-relying-party②②①">Relying Party</a> with the intention that, if any of + <p>An OPTIONAL list of <code class="idl"><a data-link-type="idl" href="#dictdef-publickeycredentialdescriptor" id="ref-for-dictdef-publickeycredentialdescriptor①②">PublicKeyCredentialDescriptor</a></code> objects provided by the <a data-link-type="dfn" href="#relying-party" id="ref-for-relying-party②②②">Relying Party</a> with the intention that, if any of these are known to the authenticator, it SHOULD NOT create a new credential. <var>excludeCredentialDescriptorList</var> contains a list of known credentials.</p> <dt data-md><var>enterpriseAttestationPossible</var> @@ -5605,11 +5608,11 @@ <h4 class="heading settled" data-level="6.3.2" id="sctn-op-make-cred"><span clas <p>A Boolean value that indicates that individually-identifying attestation MAY be returned by the authenticator.</p> <dt data-md><var>attestationFormats</var> <dd data-md> - <p>A sequence of strings that expresses the <a data-link-type="dfn" href="#relying-party" id="ref-for-relying-party②②②">Relying Party</a>'s preference for attestation statement formats, from most to least preferable. If the <a data-link-type="dfn" href="#authenticator" id="ref-for-authenticator②⓪⑤">authenticator</a> returns <a data-link-type="dfn" href="#attestation" id="ref-for-attestation①④">attestation</a>, then it makes a best-effort attempt to use the most preferable format that it supports.</p> + <p>A sequence of strings that expresses the <a data-link-type="dfn" href="#relying-party" id="ref-for-relying-party②②③">Relying Party</a>'s preference for attestation statement formats, from most to least preferable. If the <a data-link-type="dfn" href="#authenticator" id="ref-for-authenticator②⓪⑤">authenticator</a> returns <a data-link-type="dfn" href="#attestation" id="ref-for-attestation①④">attestation</a>, then it makes a best-effort attempt to use the most preferable format that it supports.</p> <dt data-md><var>extensions</var> <dd data-md> - <p>A <a data-link-type="dfn" href="#cbor" id="ref-for-cbor⑨">CBOR</a> <a data-link-type="dfn" href="https://infra.spec.whatwg.org/#ordered-map" id="ref-for-ordered-map①⓪">map</a> from <a data-link-type="dfn" href="#extension-identifier" id="ref-for-extension-identifier⑥">extension identifiers</a> to their <a data-link-type="dfn" href="#authenticator-extension-input" id="ref-for-authenticator-extension-input①">authenticator extension inputs</a>, created by the <a data-link-type="dfn" href="#client" id="ref-for-client⑨⓪">client</a> based on -the extensions requested by the <a data-link-type="dfn" href="#relying-party" id="ref-for-relying-party②②③">Relying Party</a>, if any.</p> + <p>A <a data-link-type="dfn" href="#cbor" id="ref-for-cbor⑨">CBOR</a> <a data-link-type="dfn" href="https://infra.spec.whatwg.org/#ordered-map" id="ref-for-ordered-map①⓪">map</a> from <a data-link-type="dfn" href="#extension-identifier" id="ref-for-extension-identifier⑥">extension identifiers</a> to their <a data-link-type="dfn" href="#authenticator-extension-input" id="ref-for-authenticator-extension-input①">authenticator extension inputs</a>, created by the <a data-link-type="dfn" href="#client" id="ref-for-client⑨①">client</a> based on +the extensions requested by the <a data-link-type="dfn" href="#relying-party" id="ref-for-relying-party②②④">Relying Party</a>, if any.</p> </dl> <p class="note" role="note"><span class="marker">Note:</span> Before performing this operation, all other operations in progress in the <a data-link-type="dfn" href="#authenticator-session" id="ref-for-authenticator-session②">authenticator session</a> MUST be aborted by running the <a data-link-type="dfn" href="#authenticatorcancel" id="ref-for-authenticatorcancel①①">authenticatorCancel</a> operation.</p> @@ -5626,7 +5629,7 @@ <h4 class="heading settled" data-level="6.3.2" id="sctn-op-make-cred"><span clas <ol> <li data-md> <p>If <a data-link-type="dfn" href="#credential-id-looking-up" id="ref-for-credential-id-looking-up">looking up</a> <code><var>descriptor</var>.<code class="idl"><a data-link-type="idl" href="#dom-publickeycredentialdescriptor-id" id="ref-for-dom-publickeycredentialdescriptor-id⑦">id</a></code></code> in this authenticator -returns non-null, and the returned <a data-link-type="dfn" href="https://infra.spec.whatwg.org/#list-item" id="ref-for-list-item⑨">item</a>'s <a data-link-type="dfn" href="#rp-id" id="ref-for-rp-id③⑧">RP ID</a> and <a data-link-type="dfn" href="#public-key-credential-source-type" id="ref-for-public-key-credential-source-type①">type</a> match <code><var>rpEntity</var>.<code class="idl"><a data-link-type="idl" href="#dom-publickeycredentialrpentity-id" id="ref-for-dom-publickeycredentialrpentity-id①③">id</a></code></code> and <code><var>excludeCredentialDescriptorList</var>.<code class="idl"><a data-link-type="idl" href="#dom-publickeycredentialdescriptor-type" id="ref-for-dom-publickeycredentialdescriptor-type⑤">type</a></code></code> respectively, +returns non-null, and the returned <a data-link-type="dfn" href="https://infra.spec.whatwg.org/#list-item" id="ref-for-list-item⑨">item</a>'s <a data-link-type="dfn" href="#rp-id" id="ref-for-rp-id④⓪">RP ID</a> and <a data-link-type="dfn" href="#public-key-credential-source-type" id="ref-for-public-key-credential-source-type①">type</a> match <code><var>rpEntity</var>.<code class="idl"><a data-link-type="idl" href="#dom-publickeycredentialrpentity-id" id="ref-for-dom-publickeycredentialrpentity-id①③">id</a></code></code> and <code><var>excludeCredentialDescriptorList</var>.<code class="idl"><a data-link-type="idl" href="#dom-publickeycredentialdescriptor-type" id="ref-for-dom-publickeycredentialdescriptor-type⑤">type</a></code></code> respectively, then collect an <a data-link-type="dfn" href="#authorization-gesture" id="ref-for-authorization-gesture①⑥">authorization gesture</a> confirming <a data-link-type="dfn" href="#user-consent" id="ref-for-user-consent①⑦">user consent</a> for creating a new credential. The <a data-link-type="dfn" href="#authorization-gesture" id="ref-for-authorization-gesture①⑦">authorization gesture</a> MUST include a <a data-link-type="dfn" href="#test-of-user-presence" id="ref-for-test-of-user-presence⑧">test of user presence</a>. If the user</p> @@ -5640,7 +5643,7 @@ <h4 class="heading settled" data-level="6.3.2" id="sctn-op-make-cred"><span clas </dl> <p class="note" role="note"><span class="marker">Note:</span> The purpose of this <a data-link-type="dfn" href="#authorization-gesture" id="ref-for-authorization-gesture①⑧">authorization gesture</a> is not to proceed with creating a credential, but for privacy reasons to authorize disclosure of the fact that <code><var>descriptor</var>.<code class="idl"><a data-link-type="idl" href="#dom-publickeycredentialdescriptor-id" id="ref-for-dom-publickeycredentialdescriptor-id⑧">id</a></code></code> is <a data-link-type="dfn" href="#bound-credential" id="ref-for-bound-credential①③">bound</a> to this <a data-link-type="dfn" href="#authenticator" id="ref-for-authenticator②⓪⑦">authenticator</a>. -If the user consents, the <a data-link-type="dfn" href="#client" id="ref-for-client⑨①">client</a> and <a data-link-type="dfn" href="#relying-party" id="ref-for-relying-party②②④">Relying Party</a> can detect this and guide the user to use a different <a data-link-type="dfn" href="#authenticator" id="ref-for-authenticator②⓪⑧">authenticator</a>. +If the user consents, the <a data-link-type="dfn" href="#client" id="ref-for-client⑨②">client</a> and <a data-link-type="dfn" href="#relying-party" id="ref-for-relying-party②②⑤">Relying Party</a> can detect this and guide the user to use a different <a data-link-type="dfn" href="#authenticator" id="ref-for-authenticator②⓪⑧">authenticator</a>. If the user does not consent, the <a data-link-type="dfn" href="#authenticator" id="ref-for-authenticator②⓪⑨">authenticator</a> does not reveal that <code><var>descriptor</var>.<code class="idl"><a data-link-type="idl" href="#dom-publickeycredentialdescriptor-id" id="ref-for-dom-publickeycredentialdescriptor-id⑨">id</a></code></code> is <a data-link-type="dfn" href="#bound-credential" id="ref-for-bound-credential①④">bound</a> to it, and responds as if the user simply declined consent to create a credential.</p> @@ -5744,13 +5747,13 @@ <h4 class="heading settled" data-level="6.3.3" id="sctn-op-get-assertion"><span <dl> <dt data-md><var>rpId</var> <dd data-md> - <p>The caller’s <a data-link-type="dfn" href="#rp-id" id="ref-for-rp-id③⑨">RP ID</a>, as <a href="#GetAssn-DetermineRpId">determined</a> by the user agent and the client.</p> + <p>The caller’s <a data-link-type="dfn" href="#rp-id" id="ref-for-rp-id④①">RP ID</a>, as <a href="#GetAssn-DetermineRpId">determined</a> by the user agent and the client.</p> <dt data-md><var>hash</var> <dd data-md> <p>The <a data-link-type="dfn" href="#collectedclientdata-hash-of-the-serialized-client-data" id="ref-for-collectedclientdata-hash-of-the-serialized-client-data①⓪">hash of the serialized client data</a>, provided by the client.</p> <dt data-md><var>allowCredentialDescriptorList</var> <dd data-md> - <p>An OPTIONAL <a data-link-type="dfn" href="https://infra.spec.whatwg.org/#list" id="ref-for-list⑤">list</a> of <code class="idl"><a data-link-type="idl" href="#dictdef-publickeycredentialdescriptor" id="ref-for-dictdef-publickeycredentialdescriptor①③">PublicKeyCredentialDescriptor</a></code>s describing credentials acceptable to the <a data-link-type="dfn" href="#relying-party" id="ref-for-relying-party②②⑤">Relying Party</a> (possibly filtered + <p>An OPTIONAL <a data-link-type="dfn" href="https://infra.spec.whatwg.org/#list" id="ref-for-list⑤">list</a> of <code class="idl"><a data-link-type="idl" href="#dictdef-publickeycredentialdescriptor" id="ref-for-dictdef-publickeycredentialdescriptor①③">PublicKeyCredentialDescriptor</a></code>s describing credentials acceptable to the <a data-link-type="dfn" href="#relying-party" id="ref-for-relying-party②②⑥">Relying Party</a> (possibly filtered by the client), if any.</p> <dt data-md><var>requireUserPresence</var> <dd data-md> @@ -5763,7 +5766,7 @@ <h4 class="heading settled" data-level="6.3.3" id="sctn-op-get-assertion"><span <dt data-md><var>extensions</var> <dd data-md> <p>A <a data-link-type="dfn" href="#cbor" id="ref-for-cbor①⓪">CBOR</a> <a data-link-type="dfn" href="https://infra.spec.whatwg.org/#ordered-map" id="ref-for-ordered-map①①">map</a> from <a data-link-type="dfn" href="#extension-identifier" id="ref-for-extension-identifier⑧">extension identifiers</a> to their <a data-link-type="dfn" href="#authenticator-extension-input" id="ref-for-authenticator-extension-input③">authenticator extension inputs</a>, created by the client based on -the extensions requested by the <a data-link-type="dfn" href="#relying-party" id="ref-for-relying-party②②⑥">Relying Party</a>, if any.</p> +the extensions requested by the <a data-link-type="dfn" href="#relying-party" id="ref-for-relying-party②②⑦">Relying Party</a>, if any.</p> </dl> <p class="note" role="note"><span class="marker">Note:</span> Before performing this operation, all other operations in progress in the <a data-link-type="dfn" href="#authenticator-session" id="ref-for-authenticator-session③">authenticator session</a> MUST be aborted by running the <a data-link-type="dfn" href="#authenticatorcancel" id="ref-for-authenticatorcancel①②">authenticatorCancel</a> operation.</p> <p>When this method is invoked, the <a data-link-type="dfn" href="#authenticator" id="ref-for-authenticator②①①">authenticator</a> MUST perform the following procedure:</p> @@ -5839,7 +5842,7 @@ <h4 class="heading settled" data-level="6.3.3" id="sctn-op-get-assertion"><span <p class="note" role="note"><span class="marker">Note:</span> In cases where <var>allowCredentialDescriptorList</var> was supplied the returned <a data-link-type="dfn" href="#public-key-credential-source-userhandle" id="ref-for-public-key-credential-source-userhandle④">userHandle</a> value may be <code>null</code>, see: <a data-link-type="dfn" href="#assertioncreationdata-userhandleresult" id="ref-for-assertioncreationdata-userhandleresult⑤">userHandleResult</a>.</p> </ul> </ol> - <p>If the <a data-link-type="dfn" href="#authenticator" id="ref-for-authenticator②①⑤">authenticator</a> cannot find any <a data-link-type="dfn" href="#public-key-credential" id="ref-for-public-key-credential⑤①">credential</a> corresponding to the specified <a data-link-type="dfn" href="#relying-party" id="ref-for-relying-party②②⑦">Relying Party</a> that + <p>If the <a data-link-type="dfn" href="#authenticator" id="ref-for-authenticator②①⑤">authenticator</a> cannot find any <a data-link-type="dfn" href="#public-key-credential" id="ref-for-public-key-credential⑤①">credential</a> corresponding to the specified <a data-link-type="dfn" href="#relying-party" id="ref-for-relying-party②②⑧">Relying Party</a> that matches the specified criteria, it terminates the operation and returns an error.</p> <h4 class="heading settled" data-level="6.3.4" id="sctn-op-cancel"><span class="secno">6.3.4. </span><span class="content">The <dfn class="dfn-paneled" data-dfn-type="dfn" data-noexport id="authenticatorcancel">authenticatorCancel</dfn> Operation</span><a class="self-link" href="#sctn-op-cancel"></a></h4> <p>This operation takes no input parameters and returns no result.</p> @@ -5853,7 +5856,7 @@ <h4 class="heading settled" data-level="6.3.5" id="sctn-op-silent-discovery"><sp <dl> <dt data-md><var>rpId</var> <dd data-md> - <p>The caller’s <a data-link-type="dfn" href="#rp-id" id="ref-for-rp-id④⓪">RP ID</a>, as <a href="#GetAssn-DetermineRpId">determined</a> by the <a data-link-type="dfn" href="#client" id="ref-for-client⑨②">client</a>.</p> + <p>The caller’s <a data-link-type="dfn" href="#rp-id" id="ref-for-rp-id④②">RP ID</a>, as <a href="#GetAssn-DetermineRpId">determined</a> by the <a data-link-type="dfn" href="#client" id="ref-for-client⑨③">client</a>.</p> </dl> <p>When this operation is invoked, the <a data-link-type="dfn" href="#authenticator" id="ref-for-authenticator②①⑥">authenticator</a> MUST perform the following procedure:</p> <ol> @@ -5892,7 +5895,7 @@ <h4 class="heading settled" data-level="6.3.5" id="sctn-op-silent-discovery"><sp <p>Return <var>collectedDiscoverableCredentialMetadata</var>.</p> </ol> <h3 class="heading settled" data-level="6.4" id="sctn-strings"><span class="secno">6.4. </span><span class="content">String Handling</span><a class="self-link" href="#sctn-strings"></a></h3> - <p>Authenticators may be required to store arbitrary strings chosen by a <a data-link-type="dfn" href="#relying-party" id="ref-for-relying-party②②⑧">Relying Party</a>, for example the <code class="idl"><a data-link-type="idl" href="#dom-publickeycredentialentity-name" id="ref-for-dom-publickeycredentialentity-name①⑤">name</a></code> and <code class="idl"><a data-link-type="idl" href="#dom-publickeycredentialuserentity-displayname" id="ref-for-dom-publickeycredentialuserentity-displayname①②">displayName</a></code> in a <code class="idl"><a data-link-type="idl" href="#dictdef-publickeycredentialuserentity" id="ref-for-dictdef-publickeycredentialuserentity⑥">PublicKeyCredentialUserEntity</a></code>. This section discusses some practical consequences of handling arbitrary strings that may be presented to humans.</p> + <p>Authenticators may be required to store arbitrary strings chosen by a <a data-link-type="dfn" href="#relying-party" id="ref-for-relying-party②②⑨">Relying Party</a>, for example the <code class="idl"><a data-link-type="idl" href="#dom-publickeycredentialentity-name" id="ref-for-dom-publickeycredentialentity-name①⑤">name</a></code> and <code class="idl"><a data-link-type="idl" href="#dom-publickeycredentialuserentity-displayname" id="ref-for-dom-publickeycredentialuserentity-displayname①②">displayName</a></code> in a <code class="idl"><a data-link-type="idl" href="#dictdef-publickeycredentialuserentity" id="ref-for-dictdef-publickeycredentialuserentity⑥">PublicKeyCredentialUserEntity</a></code>. This section discusses some practical consequences of handling arbitrary strings that may be presented to humans.</p> <h4 class="heading settled" data-level="6.4.1" id="sctn-strings-truncation"><span class="secno">6.4.1. </span><span class="content">String Truncation</span><a class="self-link" href="#sctn-strings-truncation"></a></h4> <p>Each arbitrary string in the API will have some accommodation for the potentially limited resources available to an <a data-link-type="dfn" href="#authenticator" id="ref-for-authenticator②①⑧">authenticator</a>. When the chosen accommodation is string truncation, care needs to be taken to not corrupt the string value.</p> @@ -5907,13 +5910,13 @@ <h4 class="heading settled" data-level="6.4.1" id="sctn-strings-truncation"><spa <img src="images/string-truncation.svg"> <figcaption>The end of a UTF-8 encoded string showing the positions of different truncation boundaries.</figcaption> </figure> - <p>The responsibility for handling these concerns falls primarily on the <a data-link-type="dfn" href="#client" id="ref-for-client⑨③">client</a>, + <p>The responsibility for handling these concerns falls primarily on the <a data-link-type="dfn" href="#client" id="ref-for-client⑨④">client</a>, to avoid burdening <a data-link-type="dfn" href="#authenticator" id="ref-for-authenticator②①⑨">authenticators</a> with understanding character encodings and Unicode character properties. The following subsections define requirements for how clients and authenticators, respectively, may perform string truncation.</p> <h5 class="heading settled" data-level="6.4.1.1" id="sctn-strings-truncation-client"><span class="secno">6.4.1.1. </span><span class="content">String Truncation by Clients</span><a class="self-link" href="#sctn-strings-truncation-client"></a></h5> <p>When a <a data-link-type="dfn" href="#webauthn-client" id="ref-for-webauthn-client②⓪">WebAuthn Client</a> truncates a string, -the truncation behaviour observable by the <a data-link-type="dfn" href="#relying-party" id="ref-for-relying-party②②⑨">Relying Party</a> MUST satisfy the following requirements:</p> +the truncation behaviour observable by the <a data-link-type="dfn" href="#relying-party" id="ref-for-relying-party②③⓪">Relying Party</a> MUST satisfy the following requirements:</p> <p>Choose a size limit equal to or greater than the specified minimum supported length. The string MAY be truncated so that its length in bytes in the UTF-8 character encoding satisfies that limit. This truncation MUST respect UTF-8 code point boundaries, and SHOULD respect <a data-link-type="dfn" href="https://w3c.github.io/i18n-glossary/#dfn-grapheme-cluster" id="ref-for-dfn-grapheme-cluster②">grapheme cluster</a> boundaries <a data-link-type="biblio" href="#biblio-uax29" title="UNICODE Text Segmentation">[UAX29]</a>. @@ -5930,7 +5933,7 @@ <h5 class="heading settled" data-level="6.4.1.1" id="sctn-strings-truncation-cli </ol> <h5 class="heading settled" data-level="6.4.1.2" id="sctn-strings-truncation-authenticator"><span class="secno">6.4.1.2. </span><span class="content">String Truncation by Authenticators</span><a class="self-link" href="#sctn-strings-truncation-authenticator"></a></h5> <p>Because a <a data-link-type="dfn" href="#webauthn-authenticator" id="ref-for-webauthn-authenticator⑦">WebAuthn Authenticator</a> may be implemented in a constrained environment, -the requirements on authenticators are relaxed compared to those for <a data-link-type="dfn" href="#client" id="ref-for-client⑨④">clients</a>.</p> +the requirements on authenticators are relaxed compared to those for <a data-link-type="dfn" href="#client" id="ref-for-client⑨⑤">clients</a>.</p> <p>When a <a data-link-type="dfn" href="#webauthn-authenticator" id="ref-for-webauthn-authenticator⑧">WebAuthn Authenticator</a> truncates a string, the truncation behaviour MUST satisfy the following requirements:</p> <p>Choose a size limit equal to or greater than the specified minimum supported length. @@ -5956,12 +5959,12 @@ <h3 class="heading settled" data-level="6.5" id="sctn-attestation"><span class=" If an authenticator does, the basic requirement is that the <a data-link-type="dfn" href="#authenticator" id="ref-for-authenticator②②④">authenticator</a> can produce, for each <a data-link-type="dfn" href="#credential-public-key" id="ref-for-credential-public-key②④">credential public key</a>, an <a data-link-type="dfn" href="#attestation-statement" id="ref-for-attestation-statement①⑨">attestation statement</a> verifiable by the <a data-link-type="dfn" href="#webauthn-relying-party" id="ref-for-webauthn-relying-party④⑨">WebAuthn Relying Party</a>. Typically, this <a data-link-type="dfn" href="#attestation-statement" id="ref-for-attestation-statement②⓪">attestation statement</a> contains a signature by an <a data-link-type="dfn" href="#attestation-private-key" id="ref-for-attestation-private-key①">attestation private key</a> over the attested <a data-link-type="dfn" href="#credential-public-key" id="ref-for-credential-public-key②⑤">credential public key</a> and a challenge, as well as a certificate or similar data providing provenance information for the <a data-link-type="dfn" href="#attestation-public-key" id="ref-for-attestation-public-key">attestation public key</a>, -enabling the <a data-link-type="dfn" href="#relying-party" id="ref-for-relying-party②③⓪">Relying Party</a> to make a trust decision. However, if an <a data-link-type="dfn" href="#attestation-key-pair" id="ref-for-attestation-key-pair②">attestation key pair</a> is not available, then the authenticator +enabling the <a data-link-type="dfn" href="#relying-party" id="ref-for-relying-party②③①">Relying Party</a> to make a trust decision. However, if an <a data-link-type="dfn" href="#attestation-key-pair" id="ref-for-attestation-key-pair②">attestation key pair</a> is not available, then the authenticator MAY either perform <a data-link-type="dfn" href="#self-attestation" id="ref-for-self-attestation⑦">self attestation</a> of the <a data-link-type="dfn" href="#credential-public-key" id="ref-for-credential-public-key②⑥">credential public key</a> with the corresponding <a data-link-type="dfn" href="#credential-private-key" id="ref-for-credential-private-key①②">credential private key</a>, or otherwise perform <a data-link-type="dfn" href="#none" id="ref-for-none①">no attestation</a>. All this information is returned by <a data-link-type="dfn" href="#authenticator" id="ref-for-authenticator②②⑤">authenticators</a> any time a new <a data-link-type="dfn" href="#public-key-credential" id="ref-for-public-key-credential⑤②">public key credential</a> is generated, in the overall form of an <dfn class="dfn-paneled" data-dfn-type="dfn" data-noexport id="attestation-object">attestation object</dfn>. The relationship of the <a data-link-type="dfn" href="#attestation-object" id="ref-for-attestation-object①⓪">attestation object</a> with <a data-link-type="dfn" href="#authenticator-data" id="ref-for-authenticator-data③⑨">authenticator data</a> (containing <a data-link-type="dfn" href="#attested-credential-data" id="ref-for-attested-credential-data⑨">attested credential data</a>) and the <a data-link-type="dfn" href="#attestation-statement" id="ref-for-attestation-statement②①">attestation statement</a> is illustrated in <a href="#fig-attStructs">figure <span class="figure-num-following"></span></a>, below.</p> <p>If an <a data-link-type="dfn" href="#authenticator" id="ref-for-authenticator②②⑥">authenticator</a> employs <a data-link-type="dfn" href="#self-attestation" id="ref-for-self-attestation⑧">self attestation</a> or <a data-link-type="dfn" href="#none" id="ref-for-none②">no attestation</a>, then no provenance information is provided -for the <a data-link-type="dfn" href="#relying-party" id="ref-for-relying-party②③①">Relying Party</a> to base a trust decision on. -In these cases, the <a data-link-type="dfn" href="#authenticator" id="ref-for-authenticator②②⑦">authenticator</a> provides no guarantees about its operation to the <a data-link-type="dfn" href="#relying-party" id="ref-for-relying-party②③②">Relying Party</a>.</p> +for the <a data-link-type="dfn" href="#relying-party" id="ref-for-relying-party②③②">Relying Party</a> to base a trust decision on. +In these cases, the <a data-link-type="dfn" href="#authenticator" id="ref-for-authenticator②②⑦">authenticator</a> provides no guarantees about its operation to the <a data-link-type="dfn" href="#relying-party" id="ref-for-relying-party②③③">Relying Party</a>.</p> <figure id="fig-attStructs"> <img src="images/fido-attestation-structures.svg"> <figcaption><a data-link-type="dfn" href="#attestation-object" id="ref-for-attestation-object①①">Attestation object</a> layout illustrating the included <a data-link-type="dfn" href="#authenticator-data" id="ref-for-authenticator-data④⓪">authenticator data</a> (containing <a data-link-type="dfn" href="#attested-credential-data" id="ref-for-attested-credential-data①⓪">attested credential @@ -5973,7 +5976,7 @@ <h3 class="heading settled" data-level="6.5" id="sctn-attestation"><span class=" data object, containing statements about a <a data-link-type="dfn" href="#public-key-credential" id="ref-for-public-key-credential⑤③">public key credential</a> itself and the <a data-link-type="dfn" href="#authenticator" id="ref-for-authenticator②②⑧">authenticator</a> that created it. It contains an <a data-link-type="dfn" href="#attestation-signature" id="ref-for-attestation-signature⑦">attestation signature</a> created using the key of the attesting authority (except for the case of <a data-link-type="dfn" href="#self-attestation" id="ref-for-self-attestation⑨">self attestation</a>, when it is created using the <a data-link-type="dfn" href="#credential-private-key" id="ref-for-credential-private-key①③">credential private key</a>). In order to correctly interpret an <a data-link-type="dfn" href="#attestation-statement" id="ref-for-attestation-statement②③">attestation -statement</a>, a <a data-link-type="dfn" href="#relying-party" id="ref-for-relying-party②③③">Relying Party</a> needs to understand these two aspects of <a data-link-type="dfn" href="#attestation" id="ref-for-attestation①⑥">attestation</a>:</p> +statement</a>, a <a data-link-type="dfn" href="#relying-party" id="ref-for-relying-party②③④">Relying Party</a> needs to understand these two aspects of <a data-link-type="dfn" href="#attestation" id="ref-for-attestation①⑥">attestation</a>:</p> <ol> <li data-md> <p>The <dfn class="dfn-paneled" data-dfn-type="dfn" data-noexport id="attestation-statement-format">attestation statement format</dfn> is the manner in which the signature is represented and the various contextual @@ -5981,7 +5984,7 @@ <h3 class="heading settled" data-level="6.5" id="sctn-attestation"><span class=" syntax of the statement. Various existing components and OS platforms (such as TPMs and the Android OS) have previously defined <a data-link-type="dfn" href="#attestation-statement-format" id="ref-for-attestation-statement-format④">attestation statement formats</a>. This specification supports a variety of such formats in an extensible way, as defined in <a href="#sctn-attestation-formats">§ 6.5.2 Attestation Statement Formats</a>. The formats themselves are identified by strings, as described in <a href="#sctn-attstn-fmt-ids">§ 8.1 Attestation Statement Format Identifiers</a>.</p> <li data-md> <p>The <dfn class="dfn-paneled" data-dfn-type="dfn" data-noexport id="attestation-type">attestation type</dfn> defines the semantics of <a data-link-type="dfn" href="#attestation-statement" id="ref-for-attestation-statement②④">attestation statements</a> and their underlying trust models. -Specifically, it defines how a <a data-link-type="dfn" href="#relying-party" id="ref-for-relying-party②③④">Relying Party</a> establishes trust in a particular <a data-link-type="dfn" href="#attestation-statement" id="ref-for-attestation-statement②⑤">attestation statement</a>, after verifying that it +Specifically, it defines how a <a data-link-type="dfn" href="#relying-party" id="ref-for-relying-party②③⑤">Relying Party</a> establishes trust in a particular <a data-link-type="dfn" href="#attestation-statement" id="ref-for-attestation-statement②⑤">attestation statement</a>, after verifying that it is cryptographically valid. This specification supports a number of <a data-link-type="dfn" href="#attestation-type" id="ref-for-attestation-type">attestation types</a>, as described in <a href="#sctn-attestation-types">§ 6.5.3 Attestation Types</a>.</p> </ol> <p>In general, there is no simple mapping between <a data-link-type="dfn" href="#attestation-statement-format" id="ref-for-attestation-statement-format⑤">attestation statement formats</a> and <a data-link-type="dfn" href="#attestation-type" id="ref-for-attestation-type①">attestation types</a>. For example, the @@ -5998,9 +6001,9 @@ <h3 class="heading settled" data-level="6.5" id="sctn-attestation"><span class=" <p>The characteristics of the individual <a data-link-type="dfn" href="#authenticator" id="ref-for-authenticator②③⓪">authenticator</a>, such as its construction, whether part or all of it runs in a secure operating environment, and so on.</p> </ul> - <p>The <a data-link-type="dfn" href="#attestation-type" id="ref-for-attestation-type④">attestation type</a> and <a data-link-type="dfn" href="#attestation-statement-format" id="ref-for-attestation-statement-format⑧">attestation statement format</a> is chosen by the <a data-link-type="dfn" href="#authenticator" id="ref-for-authenticator②③①">authenticator</a>; <a data-link-type="dfn" href="#relying-party" id="ref-for-relying-party②③⑤">Relying Parties</a> can only signal their preferences by setting the <code class="idl"><a data-link-type="idl" href="#dom-publickeycredentialcreationoptions-attestation" id="ref-for-dom-publickeycredentialcreationoptions-attestation④">attestation</a></code> and <code class="idl"><a data-link-type="idl" href="#dom-publickeycredentialcreationoptions-attestationformats" id="ref-for-dom-publickeycredentialcreationoptions-attestationformats②">attestationFormats</a></code> parameters.</p> + <p>The <a data-link-type="dfn" href="#attestation-type" id="ref-for-attestation-type④">attestation type</a> and <a data-link-type="dfn" href="#attestation-statement-format" id="ref-for-attestation-statement-format⑧">attestation statement format</a> is chosen by the <a data-link-type="dfn" href="#authenticator" id="ref-for-authenticator②③①">authenticator</a>; <a data-link-type="dfn" href="#relying-party" id="ref-for-relying-party②③⑥">Relying Parties</a> can only signal their preferences by setting the <code class="idl"><a data-link-type="idl" href="#dom-publickeycredentialcreationoptions-attestation" id="ref-for-dom-publickeycredentialcreationoptions-attestation④">attestation</a></code> and <code class="idl"><a data-link-type="idl" href="#dom-publickeycredentialcreationoptions-attestationformats" id="ref-for-dom-publickeycredentialcreationoptions-attestationformats②">attestationFormats</a></code> parameters.</p> <p>It is expected that most <a data-link-type="dfn" href="#authenticator" id="ref-for-authenticator②③②">authenticators</a> will support a small number of <a data-link-type="dfn" href="#attestation-type" id="ref-for-attestation-type⑤">attestation types</a> and <a data-link-type="dfn" href="#attestation-statement-format" id="ref-for-attestation-statement-format⑨">attestation statement -formats</a>, while <a data-link-type="dfn" href="#relying-party" id="ref-for-relying-party②③⑥">Relying Parties</a> will decide what <a data-link-type="dfn" href="#attestation-type" id="ref-for-attestation-type⑥">attestation types</a> are acceptable to them by policy. <a data-link-type="dfn" href="#relying-party" id="ref-for-relying-party②③⑦">Relying Parties</a> will also need to +formats</a>, while <a data-link-type="dfn" href="#relying-party" id="ref-for-relying-party②③⑦">Relying Parties</a> will decide what <a data-link-type="dfn" href="#attestation-type" id="ref-for-attestation-type⑥">attestation types</a> are acceptable to them by policy. <a data-link-type="dfn" href="#relying-party" id="ref-for-relying-party②③⑧">Relying Parties</a> will also need to understand the characteristics of the <a data-link-type="dfn" href="#authenticator" id="ref-for-authenticator②③③">authenticators</a> that they trust, based on information they have about these <a data-link-type="dfn" href="#authenticator" id="ref-for-authenticator②③④">authenticators</a>. For example, the FIDO Metadata Service <a data-link-type="biblio" href="#biblio-fidometadataservice" title="FIDO Metadata Service">[FIDOMetadataService]</a> provides one way to access such information.</p> <h4 class="heading settled" data-level="6.5.1" id="sctn-attested-credential-data"><span class="secno">6.5.1. </span><span class="content">Attested Credential Data</span><a class="self-link" href="#sctn-attested-credential-data"></a></h4> <p><dfn class="dfn-paneled" data-dfn-type="dfn" data-noexport id="attested-credential-data">Attested credential data</dfn> is a variable-length byte array added to the <a data-link-type="dfn" href="#authenticator-data" id="ref-for-authenticator-data④①">authenticator data</a> when generating an <a data-link-type="dfn" href="#attestation-object" id="ref-for-attestation-object①③">attestation @@ -6132,12 +6135,12 @@ <h4 class="heading settled" data-level="6.5.2" id="sctn-attestation-formats"><sp <h4 class="heading settled" data-level="6.5.3" id="sctn-attestation-types"><span class="secno">6.5.3. </span><span class="content">Attestation Types</span><a class="self-link" href="#sctn-attestation-types"></a></h4> <p>WebAuthn supports several <a data-link-type="dfn" href="#attestation-type" id="ref-for-attestation-type⑨">attestation types</a>, defining the semantics of <a data-link-type="dfn" href="#attestation-statement" id="ref-for-attestation-statement③①">attestation statements</a> and their underlying trust models:</p> - <p class="note" role="note"><span class="marker">Note:</span> This specification does not define any data structures explicitly expressing the <a data-link-type="dfn" href="#attestation-type" id="ref-for-attestation-type①⓪">attestation types</a> employed by <a data-link-type="dfn" href="#authenticator" id="ref-for-authenticator②③⑥">authenticators</a>. <a data-link-type="dfn" href="#relying-party" id="ref-for-relying-party②③⑧">Relying Parties</a> engaging in <a data-link-type="dfn" href="#attestation-statement" id="ref-for-attestation-statement③②">attestation statement</a> <a data-link-type="dfn" href="#verification-procedure" id="ref-for-verification-procedure">verification</a> — i.e., when + <p class="note" role="note"><span class="marker">Note:</span> This specification does not define any data structures explicitly expressing the <a data-link-type="dfn" href="#attestation-type" id="ref-for-attestation-type①⓪">attestation types</a> employed by <a data-link-type="dfn" href="#authenticator" id="ref-for-authenticator②③⑥">authenticators</a>. <a data-link-type="dfn" href="#relying-party" id="ref-for-relying-party②③⑨">Relying Parties</a> engaging in <a data-link-type="dfn" href="#attestation-statement" id="ref-for-attestation-statement③②">attestation statement</a> <a data-link-type="dfn" href="#verification-procedure" id="ref-for-verification-procedure">verification</a> — i.e., when calling <code class="idl"><a data-link-type="idl" href="https://w3c.github.io/webappsec-credential-management/#dom-credentialscontainer-create" id="ref-for-dom-credentialscontainer-create②⑦">navigator.credentials.create()</a></code> they select an <a data-link-type="dfn" href="#attestation-conveyance" id="ref-for-attestation-conveyance③">attestation conveyance</a> other than <code class="idl"><a data-link-type="idl" href="#dom-attestationconveyancepreference-none" id="ref-for-dom-attestationconveyancepreference-none④">none</a></code> and verify the received <a data-link-type="dfn" href="#attestation-statement" id="ref-for-attestation-statement③③">attestation statement</a> — will determine the employed <a data-link-type="dfn" href="#attestation-type" id="ref-for-attestation-type①①">attestation type</a> as a part of <a data-link-type="dfn" href="#verification-procedure" id="ref-for-verification-procedure①">verification</a>. See the "Verification procedure" subsections of <a href="#sctn-defined-attestation-formats">§ 8 Defined Attestation Statement Formats</a>. See also <a href="#sctn-attestation-privacy">§ 14.4.1 Attestation Privacy</a>. For all <a data-link-type="dfn" href="#attestation-type" id="ref-for-attestation-type①②">attestation types</a> defined in this -section other than <a data-link-type="dfn" href="#self-attestation" id="ref-for-self-attestation①①">Self</a> and <a data-link-type="dfn" href="#none" id="ref-for-none③">None</a>, <a data-link-type="dfn" href="#relying-party" id="ref-for-relying-party②③⑨">Relying Party</a> <a data-link-type="dfn" href="#verification-procedure" id="ref-for-verification-procedure②">verification</a> is followed by +section other than <a data-link-type="dfn" href="#self-attestation" id="ref-for-self-attestation①①">Self</a> and <a data-link-type="dfn" href="#none" id="ref-for-none③">None</a>, <a data-link-type="dfn" href="#relying-party" id="ref-for-relying-party②④⓪">Relying Party</a> <a data-link-type="dfn" href="#verification-procedure" id="ref-for-verification-procedure②">verification</a> is followed by matching the <a data-link-type="dfn" href="#attestation-trust-path" id="ref-for-attestation-trust-path①">trust path</a> to an acceptable root certificate per <a href="#reg-ceremony-assess-trust">step 24</a> of <a href="#sctn-registering-a-new-credential">§ 7.1 Registering a New Credential</a>. Differentiating these <a data-link-type="dfn" href="#attestation-type" id="ref-for-attestation-type①③">attestation types</a> becomes useful primarily as a means for determining if the <a data-link-type="dfn" href="#attestation" id="ref-for-attestation①⑨">attestation</a> is acceptable -under <a data-link-type="dfn" href="#relying-party" id="ref-for-relying-party②④⓪">Relying Party</a> policy.</p> +under <a data-link-type="dfn" href="#relying-party" id="ref-for-relying-party②④①">Relying Party</a> policy.</p> <dl> <dt data-md><dfn class="dfn-paneled" data-dfn-type="dfn" data-noexport id="basic-attestation">Basic Attestation</dfn> (<dfn class="dfn-paneled" data-dfn-type="dfn" data-noexport id="basic">Basic</dfn>) <dd data-md> @@ -6155,12 +6158,12 @@ <h4 class="heading settled" data-level="6.5.3" id="sctn-attestation-types"><span "endorsement key" (EK). This key is used to securely communicate with a trusted third party, the <a data-link-type="dfn" href="#attestation-ca" id="ref-for-attestation-ca①">Attestation CA</a> <a data-link-type="biblio" href="#biblio-tcg-cmcprofile-aikcertenroll" title="TCG Infrastructure Working Group: A CMC Profile for AIK Certificate Enrollment">[TCG-CMCProfile-AIKCertEnroll]</a> (formerly known as a "Privacy CA"). The <a data-link-type="dfn" href="#authenticator" id="ref-for-authenticator②③⑧">authenticator</a> can generate multiple attestation identity key pairs (AIK) and requests an <a data-link-type="dfn" href="#attestation-ca" id="ref-for-attestation-ca②">Attestation CA</a> to issue an AIK certificate for each. Using this approach, such an <a data-link-type="dfn" href="#authenticator" id="ref-for-authenticator②③⑨">authenticator</a> can limit the exposure of the EK (which is a global correlation -handle) to Attestation CA(s). AIKs can be requested for each <a data-link-type="dfn" href="#authenticator" id="ref-for-authenticator②④⓪">authenticator</a>-generated <a data-link-type="dfn" href="#public-key-credential" id="ref-for-public-key-credential⑤⑤">public key credential</a> individually, and conveyed to <a data-link-type="dfn" href="#relying-party" id="ref-for-relying-party②④①">Relying Parties</a> as <a data-link-type="dfn" href="#attestation-certificate" id="ref-for-attestation-certificate③">attestation certificates</a>.</p> +handle) to Attestation CA(s). AIKs can be requested for each <a data-link-type="dfn" href="#authenticator" id="ref-for-authenticator②④⓪">authenticator</a>-generated <a data-link-type="dfn" href="#public-key-credential" id="ref-for-public-key-credential⑤⑤">public key credential</a> individually, and conveyed to <a data-link-type="dfn" href="#relying-party" id="ref-for-relying-party②④②">Relying Parties</a> as <a data-link-type="dfn" href="#attestation-certificate" id="ref-for-attestation-certificate③">attestation certificates</a>.</p> <p class="note" role="note"><span class="marker">Note:</span> This concept typically leads to multiple attestation certificates. The attestation certificate requested most recently is called "active".</p> <dt data-md><dfn class="dfn-paneled" data-dfn-type="dfn" data-noexport id="anonymization-ca">Anonymization CA</dfn> (<dfn class="dfn-paneled" data-dfn-type="dfn" data-noexport id="anonca">AnonCA</dfn>) <dd data-md> - <p>In this case, the <a data-link-type="dfn" href="#authenticator" id="ref-for-authenticator②④①">authenticator</a> uses an <a data-link-type="dfn" href="#anonymization-ca" id="ref-for-anonymization-ca③">Anonymization CA</a> which dynamically generates per-<a data-link-type="dfn" href="https://w3c.github.io/webappsec-credential-management/#concept-credential" id="ref-for-concept-credential②②">credential</a> <a data-link-type="dfn" href="#attestation-certificate" id="ref-for-attestation-certificate④">attestation certificates</a> such that the <a data-link-type="dfn" href="#attestation-statement" id="ref-for-attestation-statement③④">attestation statements</a> presented to <a data-link-type="dfn" href="#relying-party" id="ref-for-relying-party②④②">Relying Parties</a> do not provide uniquely identifiable information, e.g., that might be used for tracking purposes.</p> + <p>In this case, the <a data-link-type="dfn" href="#authenticator" id="ref-for-authenticator②④①">authenticator</a> uses an <a data-link-type="dfn" href="#anonymization-ca" id="ref-for-anonymization-ca③">Anonymization CA</a> which dynamically generates per-<a data-link-type="dfn" href="https://w3c.github.io/webappsec-credential-management/#concept-credential" id="ref-for-concept-credential②②">credential</a> <a data-link-type="dfn" href="#attestation-certificate" id="ref-for-attestation-certificate④">attestation certificates</a> such that the <a data-link-type="dfn" href="#attestation-statement" id="ref-for-attestation-statement③④">attestation statements</a> presented to <a data-link-type="dfn" href="#relying-party" id="ref-for-relying-party②④③">Relying Parties</a> do not provide uniquely identifiable information, e.g., that might be used for tracking purposes.</p> <p class="note" role="note"><span class="marker">Note:</span> <a data-link-type="dfn" href="#attestation-statement" id="ref-for-attestation-statement③⑤">Attestation statements</a> conveying <a data-link-type="dfn" href="#attestation" id="ref-for-attestation②⓪">attestations</a> of <a data-link-type="dfn" href="#attestation-type" id="ref-for-attestation-type①④">type</a> <a data-link-type="dfn" href="#attca" id="ref-for-attca">AttCA</a> or <a data-link-type="dfn" href="#anonca" id="ref-for-anonca">AnonCA</a> use the same data structure as those of <a data-link-type="dfn" href="#attestation-type" id="ref-for-attestation-type①⑤">type</a> <a data-link-type="dfn" href="#basic" id="ref-for-basic">Basic</a>, so the three attestation types are, in general, distinguishable only with externally provided knowledge regarding the contents of the <a data-link-type="dfn" href="#attestation-certificate" id="ref-for-attestation-certificate⑤">attestation @@ -6235,17 +6238,17 @@ <h4 class="heading settled" data-level="6.5.5" id="sctn-signature-attestation-ty The signature is not ASN.1 wrapped.</p> </ul> <h2 class="heading settled" data-level="7" id="sctn-rp-operations"><span class="secno">7. </span><span class="content"><a data-link-type="dfn" href="#webauthn-relying-party" id="ref-for-webauthn-relying-party⑤⓪">WebAuthn Relying Party</a> Operations</span><a class="self-link" href="#sctn-rp-operations"></a></h2> - <p>A <a data-link-type="dfn" href="#registration-ceremony" id="ref-for-registration-ceremony①①">registration</a> or <a data-link-type="dfn" href="#authentication-ceremony" id="ref-for-authentication-ceremony③⓪">authentication ceremony</a> begins with the <a data-link-type="dfn" href="#webauthn-relying-party" id="ref-for-webauthn-relying-party⑤①">WebAuthn Relying Party</a> creating a <code class="idl"><a data-link-type="idl" href="#dictdef-publickeycredentialcreationoptions" id="ref-for-dictdef-publickeycredentialcreationoptions①①">PublicKeyCredentialCreationOptions</a></code> or <code class="idl"><a data-link-type="idl" href="#dictdef-publickeycredentialrequestoptions" id="ref-for-dictdef-publickeycredentialrequestoptions①①">PublicKeyCredentialRequestOptions</a></code> object, respectively, which encodes the parameters for the <a data-link-type="dfn" href="#ceremony" id="ref-for-ceremony①②">ceremony</a>. The <a data-link-type="dfn" href="#relying-party" id="ref-for-relying-party②④③">Relying Party</a> SHOULD take care to not leak sensitive information during this stage; see <a href="#sctn-username-enumeration">§ 14.6.2 Username Enumeration</a> for details.</p> - <p>Upon successful execution of <code class="idl"><a data-link-type="idl" href="https://w3c.github.io/webappsec-credential-management/#dom-credentialscontainer-create" id="ref-for-dom-credentialscontainer-create②⑧">create()</a></code> or <code class="idl"><a data-link-type="idl" href="https://w3c.github.io/webappsec-credential-management/#dom-credentialscontainer-get" id="ref-for-dom-credentialscontainer-get③①">get()</a></code>, the <a data-link-type="dfn" href="#relying-party" id="ref-for-relying-party②④④">Relying Party</a>'s script receives + <p>A <a data-link-type="dfn" href="#registration-ceremony" id="ref-for-registration-ceremony①①">registration</a> or <a data-link-type="dfn" href="#authentication-ceremony" id="ref-for-authentication-ceremony③⓪">authentication ceremony</a> begins with the <a data-link-type="dfn" href="#webauthn-relying-party" id="ref-for-webauthn-relying-party⑤①">WebAuthn Relying Party</a> creating a <code class="idl"><a data-link-type="idl" href="#dictdef-publickeycredentialcreationoptions" id="ref-for-dictdef-publickeycredentialcreationoptions①①">PublicKeyCredentialCreationOptions</a></code> or <code class="idl"><a data-link-type="idl" href="#dictdef-publickeycredentialrequestoptions" id="ref-for-dictdef-publickeycredentialrequestoptions①①">PublicKeyCredentialRequestOptions</a></code> object, respectively, which encodes the parameters for the <a data-link-type="dfn" href="#ceremony" id="ref-for-ceremony①②">ceremony</a>. The <a data-link-type="dfn" href="#relying-party" id="ref-for-relying-party②④④">Relying Party</a> SHOULD take care to not leak sensitive information during this stage; see <a href="#sctn-username-enumeration">§ 14.6.2 Username Enumeration</a> for details.</p> + <p>Upon successful execution of <code class="idl"><a data-link-type="idl" href="https://w3c.github.io/webappsec-credential-management/#dom-credentialscontainer-create" id="ref-for-dom-credentialscontainer-create②⑧">create()</a></code> or <code class="idl"><a data-link-type="idl" href="https://w3c.github.io/webappsec-credential-management/#dom-credentialscontainer-get" id="ref-for-dom-credentialscontainer-get③①">get()</a></code>, the <a data-link-type="dfn" href="#relying-party" id="ref-for-relying-party②④⑤">Relying Party</a>'s script receives a <code class="idl"><a data-link-type="idl" href="#publickeycredential" id="ref-for-publickeycredential②⑧">PublicKeyCredential</a></code> containing an <code class="idl"><a data-link-type="idl" href="#authenticatorattestationresponse" id="ref-for-authenticatorattestationresponse⑤">AuthenticatorAttestationResponse</a></code> or <code class="idl"><a data-link-type="idl" href="#authenticatorassertionresponse" id="ref-for-authenticatorassertionresponse⑥">AuthenticatorAssertionResponse</a></code> structure, -respectively, from the client. It must then deliver the contents of this structure to the <a data-link-type="dfn" href="#relying-party" id="ref-for-relying-party②④⑤">Relying Party</a> server, using methods outside -the scope of this specification. This section describes the operations that the <a data-link-type="dfn" href="#relying-party" id="ref-for-relying-party②④⑥">Relying Party</a> must perform upon receipt of these +respectively, from the client. It must then deliver the contents of this structure to the <a data-link-type="dfn" href="#relying-party" id="ref-for-relying-party②④⑥">Relying Party</a> server, using methods outside +the scope of this specification. This section describes the operations that the <a data-link-type="dfn" href="#relying-party" id="ref-for-relying-party②④⑦">Relying Party</a> must perform upon receipt of these structures.</p> <h3 class="heading settled" data-level="7.1" id="sctn-registering-a-new-credential"><span class="secno">7.1. </span><span class="content">Registering a New Credential</span><a class="self-link" href="#sctn-registering-a-new-credential"></a></h3> - <p>In order to perform a <a data-link-type="dfn" href="#registration-ceremony" id="ref-for-registration-ceremony①②">registration ceremony</a>, the <a data-link-type="dfn" href="#relying-party" id="ref-for-relying-party②④⑦">Relying Party</a> MUST proceed as follows:</p> + <p>In order to perform a <a data-link-type="dfn" href="#registration-ceremony" id="ref-for-registration-ceremony①②">registration ceremony</a>, the <a data-link-type="dfn" href="#relying-party" id="ref-for-relying-party②④⑧">Relying Party</a> MUST proceed as follows:</p> <ol> <li data-md> - <p>Let <var>options</var> be a new <code class="idl"><a data-link-type="idl" href="https://w3c.github.io/webappsec-credential-management/#dictdef-credentialcreationoptions" id="ref-for-dictdef-credentialcreationoptions③">CredentialCreationOptions</a></code> structure configured to the <a data-link-type="dfn" href="#relying-party" id="ref-for-relying-party②④⑧">Relying Party</a>'s needs for the ceremony. + <p>Let <var>options</var> be a new <code class="idl"><a data-link-type="idl" href="https://w3c.github.io/webappsec-credential-management/#dictdef-credentialcreationoptions" id="ref-for-dictdef-credentialcreationoptions③">CredentialCreationOptions</a></code> structure configured to the <a data-link-type="dfn" href="#relying-party" id="ref-for-relying-party②④⑨">Relying Party</a>'s needs for the ceremony. Let <var>pkOptions</var> be <code><var>options</var>.<code class="idl"><a data-link-type="idl" href="#dom-credentialcreationoptions-publickey" id="ref-for-dom-credentialcreationoptions-publickey④">publicKey</a></code></code>.</p> <li data-md> <p>Call <code class="idl"><a data-link-type="idl" href="https://w3c.github.io/webappsec-credential-management/#dom-credentialscontainer-create" id="ref-for-dom-credentialscontainer-create②⑨">navigator.credentials.create()</a></code> and pass <var>options</var> as the argument. @@ -6274,17 +6277,17 @@ <h3 class="heading settled" data-level="7.1" id="sctn-registering-a-new-credenti <li data-md> <p>Verify that the value of <code><var>C</var>.<code class="idl"><a data-link-type="idl" href="#dom-collectedclientdata-challenge" id="ref-for-dom-collectedclientdata-challenge⑥">challenge</a></code></code> equals the base64url encoding of <code><var>pkOptions</var>.<code class="idl"><a data-link-type="idl" href="#dom-publickeycredentialcreationoptions-challenge" id="ref-for-dom-publickeycredentialcreationoptions-challenge②">challenge</a></code></code>.</p> - <li id="rp-op-registering-a-new-credential-step-origin"><a class="self-link" href="#rp-op-registering-a-new-credential-step-origin"></a> Verify that the value of <code><var>C</var>.<code class="idl"><a data-link-type="idl" href="#dom-collectedclientdata-origin" id="ref-for-dom-collectedclientdata-origin⑦">origin</a></code></code> is an <a data-link-type="dfn" href="https://html.spec.whatwg.org/multipage/origin.html#concept-origin" id="ref-for-concept-origin①④">origin</a> expected by the <a data-link-type="dfn" href="#relying-party" id="ref-for-relying-party②④⑨">Relying Party</a>. + <li id="rp-op-registering-a-new-credential-step-origin"><a class="self-link" href="#rp-op-registering-a-new-credential-step-origin"></a> Verify that the value of <code><var>C</var>.<code class="idl"><a data-link-type="idl" href="#dom-collectedclientdata-origin" id="ref-for-dom-collectedclientdata-origin⑦">origin</a></code></code> is an <a data-link-type="dfn" href="https://html.spec.whatwg.org/multipage/origin.html#concept-origin" id="ref-for-concept-origin①④">origin</a> expected by the <a data-link-type="dfn" href="#relying-party" id="ref-for-relying-party②⑤⓪">Relying Party</a>. See <a href="#sctn-validating-origin">§ 13.4.9 Validating the origin of a credential</a> for guidance. <li data-md> <p>If <code><var>C</var>.<code class="idl"><a data-link-type="idl" href="#dom-collectedclientdata-toporigin" id="ref-for-dom-collectedclientdata-toporigin⑨">topOrigin</a></code></code> is present:</p> <ol> <li data-md> - <p>Verify that the <a data-link-type="dfn" href="#relying-party" id="ref-for-relying-party②⑤⓪">Relying Party</a> expects that this credential would have been created within an iframe that is + <p>Verify that the <a data-link-type="dfn" href="#relying-party" id="ref-for-relying-party②⑤①">Relying Party</a> expects that this credential would have been created within an iframe that is not <a data-link-type="dfn" href="https://w3c.github.io/webappsec-credential-management/#same-origin-with-its-ancestors" id="ref-for-same-origin-with-its-ancestors④">same-origin with its ancestors</a>.</p> <li data-md> <p>Verify that the value of <code><var>C</var>.<code class="idl"><a data-link-type="idl" href="#dom-collectedclientdata-toporigin" id="ref-for-dom-collectedclientdata-toporigin①⓪">topOrigin</a></code></code> matches the <a data-link-type="dfn" href="https://html.spec.whatwg.org/multipage/origin.html#concept-origin" id="ref-for-concept-origin①⑤">origin</a> of a page -that the <a data-link-type="dfn" href="#relying-party" id="ref-for-relying-party②⑤①">Relying Party</a> expects to be sub-framed within. +that the <a data-link-type="dfn" href="#relying-party" id="ref-for-relying-party②⑤②">Relying Party</a> expects to be sub-framed within. See <a href="#sctn-validating-origin">§ 13.4.9 Validating the origin of a credential</a> for guidance.</p> </ol> <li data-md> @@ -6292,30 +6295,30 @@ <h3 class="heading settled" data-level="7.1" id="sctn-registering-a-new-credenti <li data-md> <p>Perform CBOR decoding on the <code class="idl"><a data-link-type="idl" href="#dom-authenticatorattestationresponse-attestationobject" id="ref-for-dom-authenticatorattestationresponse-attestationobject⑦">attestationObject</a></code> field of the <code class="idl"><a data-link-type="idl" href="#authenticatorattestationresponse" id="ref-for-authenticatorattestationresponse⑦">AuthenticatorAttestationResponse</a></code> structure to obtain the attestation statement format <var>fmt</var>, the <a data-link-type="dfn" href="#authenticator-data" id="ref-for-authenticator-data④⑤">authenticator data</a> <var>authData</var>, and the attestation statement <var>attStmt</var>.</p> <li data-md> - <p>Verify that the <code><a data-link-type="dfn" href="#authdata-rpidhash" id="ref-for-authdata-rpidhash②">rpIdHash</a></code> in <var>authData</var> is the SHA-256 hash of the <a data-link-type="dfn" href="#rp-id" id="ref-for-rp-id④①">RP ID</a> expected by the <a data-link-type="dfn" href="#relying-party" id="ref-for-relying-party②⑤②">Relying Party</a>.</p> + <p>Verify that the <code><a data-link-type="dfn" href="#authdata-rpidhash" id="ref-for-authdata-rpidhash②">rpIdHash</a></code> in <var>authData</var> is the SHA-256 hash of the <a data-link-type="dfn" href="#rp-id" id="ref-for-rp-id④③">RP ID</a> expected by the <a data-link-type="dfn" href="#relying-party" id="ref-for-relying-party②⑤③">Relying Party</a>.</p> <li data-md> <p>If <code><var>options</var>.<code class="idl"><a data-link-type="idl" href="https://w3c.github.io/webappsec-credential-management/#dom-credentialcreationoptions-mediation" id="ref-for-dom-credentialcreationoptions-mediation⑦">mediation</a></code></code> is not set to <code class="idl"><a data-link-type="idl" href="https://w3c.github.io/webappsec-credential-management/#dom-credentialmediationrequirement-conditional" id="ref-for-dom-credentialmediationrequirement-conditional②⑤">conditional</a></code>, verify that the <a data-link-type="dfn" href="#authdata-flags-up" id="ref-for-authdata-flags-up③">UP</a> bit of the <code><a data-link-type="dfn" href="#authdata-flags" id="ref-for-authdata-flags③⑧">flags</a></code> in <var>authData</var> is set.</p> <li data-md> - <p>If the <a data-link-type="dfn" href="#relying-party" id="ref-for-relying-party②⑤③">Relying Party</a> requires <a data-link-type="dfn" href="#user-verification" id="ref-for-user-verification④⑥">user verification</a> for this registration, + <p>If the <a data-link-type="dfn" href="#relying-party" id="ref-for-relying-party②⑤④">Relying Party</a> requires <a data-link-type="dfn" href="#user-verification" id="ref-for-user-verification④⑥">user verification</a> for this registration, verify that the <a data-link-type="dfn" href="#authdata-flags-uv" id="ref-for-authdata-flags-uv①②">UV</a> bit of the <code><a data-link-type="dfn" href="#authdata-flags" id="ref-for-authdata-flags③⑨">flags</a></code> in <var>authData</var> is set.</p> <li data-md> <p>If the <a data-link-type="dfn" href="#authdata-flags-be" id="ref-for-authdata-flags-be⑦">BE</a> bit of the <code><a data-link-type="dfn" href="#authdata-flags" id="ref-for-authdata-flags④⓪">flags</a></code> in <var>authData</var> is not set, verify that the <a data-link-type="dfn" href="#authdata-flags-bs" id="ref-for-authdata-flags-bs⑨">BS</a> bit is not set.</p> <li data-md> - <p>If the <a data-link-type="dfn" href="#relying-party" id="ref-for-relying-party②⑤④">Relying Party</a> uses the credential’s <a data-link-type="dfn" href="#backup-eligibility" id="ref-for-backup-eligibility③">backup eligibility</a> to inform its user experience flows and/or policies, evaluate the <a data-link-type="dfn" href="#authdata-flags-be" id="ref-for-authdata-flags-be⑧">BE</a> bit of the <code><a data-link-type="dfn" href="#authdata-flags" id="ref-for-authdata-flags④①">flags</a></code> in <var>authData</var>.</p> + <p>If the <a data-link-type="dfn" href="#relying-party" id="ref-for-relying-party②⑤⑤">Relying Party</a> uses the credential’s <a data-link-type="dfn" href="#backup-eligibility" id="ref-for-backup-eligibility③">backup eligibility</a> to inform its user experience flows and/or policies, evaluate the <a data-link-type="dfn" href="#authdata-flags-be" id="ref-for-authdata-flags-be⑧">BE</a> bit of the <code><a data-link-type="dfn" href="#authdata-flags" id="ref-for-authdata-flags④①">flags</a></code> in <var>authData</var>.</p> <li data-md> - <p>If the <a data-link-type="dfn" href="#relying-party" id="ref-for-relying-party②⑤⑤">Relying Party</a> uses the credential’s <a data-link-type="dfn" href="#backup-state" id="ref-for-backup-state③">backup state</a> to inform its user experience flows and/or policies, evaluate the <a data-link-type="dfn" href="#authdata-flags-bs" id="ref-for-authdata-flags-bs①⓪">BS</a> bit of the <code><a data-link-type="dfn" href="#authdata-flags" id="ref-for-authdata-flags④②">flags</a></code> in <var>authData</var>.</p> + <p>If the <a data-link-type="dfn" href="#relying-party" id="ref-for-relying-party②⑤⑥">Relying Party</a> uses the credential’s <a data-link-type="dfn" href="#backup-state" id="ref-for-backup-state③">backup state</a> to inform its user experience flows and/or policies, evaluate the <a data-link-type="dfn" href="#authdata-flags-bs" id="ref-for-authdata-flags-bs①⓪">BS</a> bit of the <code><a data-link-type="dfn" href="#authdata-flags" id="ref-for-authdata-flags④②">flags</a></code> in <var>authData</var>.</p> <li data-md> <p>Verify that the "alg" parameter in the <a data-link-type="dfn" href="#authdata-attestedcredentialdata-credentialpublickey" id="ref-for-authdata-attestedcredentialdata-credentialpublickey⑤">credential public key</a> in <var>authData</var> matches the <code class="idl"><a data-link-type="idl" href="#dom-publickeycredentialparameters-alg" id="ref-for-dom-publickeycredentialparameters-alg②">alg</a></code> attribute of one of the <a data-link-type="dfn" href="https://infra.spec.whatwg.org/#list-item" id="ref-for-list-item①②">items</a> in <code><var>pkOptions</var>.<code class="idl"><a data-link-type="idl" href="#dom-publickeycredentialcreationoptions-pubkeycredparams" id="ref-for-dom-publickeycredentialcreationoptions-pubkeycredparams⑥">pubKeyCredParams</a></code></code>.</p> <li id="reg-ceremony-verify-extension-outputs"> <a class="self-link" href="#reg-ceremony-verify-extension-outputs"></a> Verify that the values of the <a data-link-type="dfn" href="#client-extension-output" id="ref-for-client-extension-output⑥">client extension outputs</a> in <var>clientExtensionResults</var> and the <a data-link-type="dfn" href="#authenticator-extension-output" id="ref-for-authenticator-extension-output③">authenticator extension outputs</a> in the <code><a data-link-type="dfn" href="#authdata-extensions" id="ref-for-authdata-extensions⑦">extensions</a></code> in <var>authData</var> are as expected, considering the <a data-link-type="dfn" href="#client-extension-input" id="ref-for-client-extension-input⑤">client - extension input</a> values that were given in <code><var>pkOptions</var>.<code class="idl"><a data-link-type="idl" href="#dom-publickeycredentialcreationoptions-extensions" id="ref-for-dom-publickeycredentialcreationoptions-extensions④">extensions</a></code></code> and any specific policy of the <a data-link-type="dfn" href="#relying-party" id="ref-for-relying-party②⑤⑥">Relying Party</a> regarding unsolicited extensions, i.e., those that were not specified as part of <code><var>pkOptions</var>.<code class="idl"><a data-link-type="idl" href="#dom-publickeycredentialcreationoptions-extensions" id="ref-for-dom-publickeycredentialcreationoptions-extensions⑤">extensions</a></code></code>. - In the general case, the meaning of "are as expected" is specific to the <a data-link-type="dfn" href="#relying-party" id="ref-for-relying-party②⑤⑦">Relying Party</a> and which extensions are in use. - <p class="note" role="note"><span class="marker">Note:</span> <a data-link-type="dfn" href="#client-platform" id="ref-for-client-platform⑤⓪">Client platforms</a> MAY enact local policy that sets additional <a data-link-type="dfn" href="#authenticator-extension" id="ref-for-authenticator-extension③">authenticator extensions</a> or <a data-link-type="dfn" href="#client-extension" id="ref-for-client-extension②">client extensions</a> and thus cause values to appear in the <a data-link-type="dfn" href="#authenticator-extension-output" id="ref-for-authenticator-extension-output④">authenticator extension outputs</a> or <a data-link-type="dfn" href="#client-extension-output" id="ref-for-client-extension-output⑦">client extension outputs</a> that were not originally specified as part of <code><var>pkOptions</var>.<code class="idl"><a data-link-type="idl" href="#dom-publickeycredentialcreationoptions-extensions" id="ref-for-dom-publickeycredentialcreationoptions-extensions⑥">extensions</a></code></code>. <a data-link-type="dfn" href="#relying-party" id="ref-for-relying-party②⑤⑧">Relying Parties</a> MUST be prepared to handle such - situations, whether it be to ignore the unsolicited extensions or reject the attestation. The <a data-link-type="dfn" href="#relying-party" id="ref-for-relying-party②⑤⑨">Relying Party</a> can make this + extension input</a> values that were given in <code><var>pkOptions</var>.<code class="idl"><a data-link-type="idl" href="#dom-publickeycredentialcreationoptions-extensions" id="ref-for-dom-publickeycredentialcreationoptions-extensions④">extensions</a></code></code> and any specific policy of the <a data-link-type="dfn" href="#relying-party" id="ref-for-relying-party②⑤⑦">Relying Party</a> regarding unsolicited extensions, i.e., those that were not specified as part of <code><var>pkOptions</var>.<code class="idl"><a data-link-type="idl" href="#dom-publickeycredentialcreationoptions-extensions" id="ref-for-dom-publickeycredentialcreationoptions-extensions⑤">extensions</a></code></code>. + In the general case, the meaning of "are as expected" is specific to the <a data-link-type="dfn" href="#relying-party" id="ref-for-relying-party②⑤⑧">Relying Party</a> and which extensions are in use. + <p class="note" role="note"><span class="marker">Note:</span> <a data-link-type="dfn" href="#client-platform" id="ref-for-client-platform⑤⓪">Client platforms</a> MAY enact local policy that sets additional <a data-link-type="dfn" href="#authenticator-extension" id="ref-for-authenticator-extension③">authenticator extensions</a> or <a data-link-type="dfn" href="#client-extension" id="ref-for-client-extension②">client extensions</a> and thus cause values to appear in the <a data-link-type="dfn" href="#authenticator-extension-output" id="ref-for-authenticator-extension-output④">authenticator extension outputs</a> or <a data-link-type="dfn" href="#client-extension-output" id="ref-for-client-extension-output⑦">client extension outputs</a> that were not originally specified as part of <code><var>pkOptions</var>.<code class="idl"><a data-link-type="idl" href="#dom-publickeycredentialcreationoptions-extensions" id="ref-for-dom-publickeycredentialcreationoptions-extensions⑥">extensions</a></code></code>. <a data-link-type="dfn" href="#relying-party" id="ref-for-relying-party②⑤⑨">Relying Parties</a> MUST be prepared to handle such + situations, whether it be to ignore the unsolicited extensions or reject the attestation. The <a data-link-type="dfn" href="#relying-party" id="ref-for-relying-party②⑥⓪">Relying Party</a> can make this decision based on local policy and the extensions in use.</p> - <p class="note" role="note"><span class="marker">Note:</span> Since all extensions are OPTIONAL for both the <a data-link-type="dfn" href="#client" id="ref-for-client⑨⑤">client</a> and the <a data-link-type="dfn" href="#authenticator" id="ref-for-authenticator②④⑥">authenticator</a>, the <a data-link-type="dfn" href="#relying-party" id="ref-for-relying-party②⑥⓪">Relying Party</a> MUST also be + <p class="note" role="note"><span class="marker">Note:</span> Since all extensions are OPTIONAL for both the <a data-link-type="dfn" href="#client" id="ref-for-client⑨⑥">client</a> and the <a data-link-type="dfn" href="#authenticator" id="ref-for-authenticator②④⑥">authenticator</a>, the <a data-link-type="dfn" href="#relying-party" id="ref-for-relying-party②⑥①">Relying Party</a> MUST also be prepared to handle cases where none or not all of the requested extensions were acted upon.</p> <li data-md> <p>Determine the attestation statement format by performing a USASCII case-sensitive match on <var>fmt</var> against the set of @@ -6334,9 +6337,9 @@ <h3 class="heading settled" data-level="7.1" id="sctn-registering-a-new-credenti <a class="self-link" href="#reg-ceremony-assess-trust"></a> Assess the attestation trustworthiness using the outputs of the <a data-link-type="dfn" href="#verification-procedure" id="ref-for-verification-procedure⑤">verification procedure</a> in <a href="#reg-ceremony-verify-attestation">step 22</a>, as follows: <ul> <li data-md> - <p>If <a data-link-type="dfn" href="#none" id="ref-for-none④">no attestation</a> was provided, verify that <a data-link-type="dfn" href="#none" id="ref-for-none⑤">None</a> attestation is acceptable under <a data-link-type="dfn" href="#relying-party" id="ref-for-relying-party②⑥①">Relying Party</a> policy.</p> + <p>If <a data-link-type="dfn" href="#none" id="ref-for-none④">no attestation</a> was provided, verify that <a data-link-type="dfn" href="#none" id="ref-for-none⑤">None</a> attestation is acceptable under <a data-link-type="dfn" href="#relying-party" id="ref-for-relying-party②⑥②">Relying Party</a> policy.</p> <li data-md> - <p>If <a data-link-type="dfn" href="#self-attestation" id="ref-for-self-attestation①③">self attestation</a> was used, verify that <a data-link-type="dfn" href="#self-attestation" id="ref-for-self-attestation①④">self attestation</a> is acceptable under <a data-link-type="dfn" href="#relying-party" id="ref-for-relying-party②⑥②">Relying Party</a> policy.</p> + <p>If <a data-link-type="dfn" href="#self-attestation" id="ref-for-self-attestation①③">self attestation</a> was used, verify that <a data-link-type="dfn" href="#self-attestation" id="ref-for-self-attestation①④">self attestation</a> is acceptable under <a data-link-type="dfn" href="#relying-party" id="ref-for-relying-party②⑥③">Relying Party</a> policy.</p> <li data-md> <p>Otherwise, use the X.509 certificates returned as the <a data-link-type="dfn" href="#attestation-trust-path" id="ref-for-attestation-trust-path②">attestation trust path</a> from the <a data-link-type="dfn" href="#verification-procedure" id="ref-for-verification-procedure⑥">verification procedure</a> to verify that the attestation public key either correctly chains up to an acceptable root certificate, or is itself an acceptable certificate (i.e., it and the root certificate obtained in <a href="#reg-ceremony-attestation-trust-anchors">step 23</a> may be the same).</p> @@ -6344,8 +6347,8 @@ <h3 class="heading settled" data-level="7.1" id="sctn-registering-a-new-credenti <li data-md> <p>Verify that the <code><a data-link-type="dfn" href="#authdata-attestedcredentialdata-credentialid" id="ref-for-authdata-attestedcredentialdata-credentialid④">credentialId</a></code> is ≤ 1023 bytes. Credential IDs larger than this many bytes SHOULD cause the RP to fail this <a data-link-type="dfn" href="#registration-ceremony" id="ref-for-registration-ceremony①③">registration ceremony</a>.</p> <li data-md> - <p>Verify that the <code><a data-link-type="dfn" href="#authdata-attestedcredentialdata-credentialid" id="ref-for-authdata-attestedcredentialdata-credentialid⑤">credentialId</a></code> is not yet registered for any user. If the <code><a data-link-type="dfn" href="#authdata-attestedcredentialdata-credentialid" id="ref-for-authdata-attestedcredentialdata-credentialid⑥">credentialId</a></code> is already known then the <a data-link-type="dfn" href="#relying-party" id="ref-for-relying-party②⑥③">Relying Party</a> SHOULD fail this <a data-link-type="dfn" href="#registration-ceremony" id="ref-for-registration-ceremony①④">registration ceremony</a>.</p> - <p class="note" role="note"><span class="marker">NOTE:</span> The rationale for <a data-link-type="dfn" href="#relying-party" id="ref-for-relying-party②⑥④">Relying Parties</a> rejecting duplicate <a data-link-type="dfn" href="#credential-id" id="ref-for-credential-id③⑧">credential IDs</a> is as follows: <a data-link-type="dfn" href="#credential-id" id="ref-for-credential-id③⑨">credential IDs</a> contain sufficient entropy that accidental duplication is very unlikely. However, <a data-link-type="dfn" href="#attestation-type" id="ref-for-attestation-type①⑥">attestation types</a> other than <a data-link-type="dfn" href="#self-attestation" id="ref-for-self-attestation①⑤">self attestation</a> do not include a self-signature to explicitly prove possession of the <a data-link-type="dfn" href="#credential-private-key" id="ref-for-credential-private-key①⑤">credential private key</a> at <a data-link-type="dfn" href="#registration" id="ref-for-registration①⑨">registration</a> time. Thus an attacker who has managed to obtain a user’s <a data-link-type="dfn" href="#credential-id" id="ref-for-credential-id④⓪">credential ID</a> and <a data-link-type="dfn" href="#credential-public-key" id="ref-for-credential-public-key③⓪">credential public key</a> for a site (this could be potentially accomplished in various ways), could attempt to register a victim’s credential as their own at that site. If the <a data-link-type="dfn" href="#relying-party" id="ref-for-relying-party②⑥⑤">Relying Party</a> accepts this new registration and replaces the victim’s existing credential registration, and the <a data-link-type="dfn" href="#discoverable-credential" id="ref-for-discoverable-credential①⑤">credentials are discoverable</a>, then the victim could be forced to sign into the attacker’s account at their next attempt. Data saved to the site by the victim in that state would then be available to the attacker.</p> + <p>Verify that the <code><a data-link-type="dfn" href="#authdata-attestedcredentialdata-credentialid" id="ref-for-authdata-attestedcredentialdata-credentialid⑤">credentialId</a></code> is not yet registered for any user. If the <code><a data-link-type="dfn" href="#authdata-attestedcredentialdata-credentialid" id="ref-for-authdata-attestedcredentialdata-credentialid⑥">credentialId</a></code> is already known then the <a data-link-type="dfn" href="#relying-party" id="ref-for-relying-party②⑥④">Relying Party</a> SHOULD fail this <a data-link-type="dfn" href="#registration-ceremony" id="ref-for-registration-ceremony①④">registration ceremony</a>.</p> + <p class="note" role="note"><span class="marker">NOTE:</span> The rationale for <a data-link-type="dfn" href="#relying-party" id="ref-for-relying-party②⑥⑤">Relying Parties</a> rejecting duplicate <a data-link-type="dfn" href="#credential-id" id="ref-for-credential-id③⑧">credential IDs</a> is as follows: <a data-link-type="dfn" href="#credential-id" id="ref-for-credential-id③⑨">credential IDs</a> contain sufficient entropy that accidental duplication is very unlikely. However, <a data-link-type="dfn" href="#attestation-type" id="ref-for-attestation-type①⑥">attestation types</a> other than <a data-link-type="dfn" href="#self-attestation" id="ref-for-self-attestation①⑤">self attestation</a> do not include a self-signature to explicitly prove possession of the <a data-link-type="dfn" href="#credential-private-key" id="ref-for-credential-private-key①⑤">credential private key</a> at <a data-link-type="dfn" href="#registration" id="ref-for-registration①⑨">registration</a> time. Thus an attacker who has managed to obtain a user’s <a data-link-type="dfn" href="#credential-id" id="ref-for-credential-id④⓪">credential ID</a> and <a data-link-type="dfn" href="#credential-public-key" id="ref-for-credential-public-key③⓪">credential public key</a> for a site (this could be potentially accomplished in various ways), could attempt to register a victim’s credential as their own at that site. If the <a data-link-type="dfn" href="#relying-party" id="ref-for-relying-party②⑥⑥">Relying Party</a> accepts this new registration and replaces the victim’s existing credential registration, and the <a data-link-type="dfn" href="#discoverable-credential" id="ref-for-discoverable-credential①⑤">credentials are discoverable</a>, then the victim could be forced to sign into the attacker’s account at their next attempt. Data saved to the site by the victim in that state would then be available to the attacker.</p> <li id="reg-ceremony-store-credential-record"> <a class="self-link" href="#reg-ceremony-store-credential-record"></a> If the attestation statement <var>attStmt</var> verified successfully and is found to be trustworthy, then create and store a new <a data-link-type="dfn" href="#credential-record" id="ref-for-credential-record①①">credential record</a> in the <a data-link-type="dfn" href="#user-account" id="ref-for-user-account③②">user account</a> that was denoted in <code><var>pkOptions</var>.<code class="idl"><a data-link-type="idl" href="#dom-publickeycredentialcreationoptions-user" id="ref-for-dom-publickeycredentialcreationoptions-user⑦">user</a></code></code>, @@ -6357,7 +6360,7 @@ <h3 class="heading settled" data-level="7.1" id="sctn-registering-a-new-credenti <dt data-md><a data-link-type="abstract-op" href="#abstract-opdef-credential-record-id" id="ref-for-abstract-opdef-credential-record-id②">id</a> <dd data-md> <p><code><var>credential</var>.<code class="idl"><a data-link-type="idl" href="https://w3c.github.io/webappsec-credential-management/#dom-credential-id" id="ref-for-dom-credential-id①">id</a></code></code> or <code><var>credential</var>.<code class="idl"><a data-link-type="idl" href="#dom-publickeycredential-rawid" id="ref-for-dom-publickeycredential-rawid②">rawId</a></code></code>, -whichever format is preferred by the <a data-link-type="dfn" href="#relying-party" id="ref-for-relying-party②⑥⑥">Relying Party</a>.</p> +whichever format is preferred by the <a data-link-type="dfn" href="#relying-party" id="ref-for-relying-party②⑥⑦">Relying Party</a>.</p> <dt data-md><a data-link-type="abstract-op" href="#abstract-opdef-credential-record-publickey" id="ref-for-abstract-opdef-credential-record-publickey">publicKey</a> <dd data-md> <p>The <a data-link-type="dfn" href="#credential-public-key" id="ref-for-credential-public-key③①">credential public key</a> in <var>authData</var>.</p> @@ -6388,22 +6391,22 @@ <h3 class="heading settled" data-level="7.1" id="sctn-registering-a-new-credenti </dl> <li data-md> <p>If the attestation statement <var>attStmt</var> successfully verified but is not trustworthy per <a href="#reg-ceremony-assess-trust">step 24</a> above, -the <a data-link-type="dfn" href="#relying-party" id="ref-for-relying-party②⑥⑦">Relying Party</a> SHOULD fail the <a data-link-type="dfn" href="#registration-ceremony" id="ref-for-registration-ceremony①⑤">registration ceremony</a>.</p> - <p class="note" role="note"><span class="marker">NOTE:</span> However, if permitted by policy, the <a data-link-type="dfn" href="#relying-party" id="ref-for-relying-party②⑥⑧">Relying Party</a> MAY register the <a data-link-type="dfn" href="#credential-id" id="ref-for-credential-id④①">credential ID</a> and credential public key but treat the - credential as one with <a data-link-type="dfn" href="#self-attestation" id="ref-for-self-attestation①⑥">self attestation</a> (see <a href="#sctn-attestation-types">§ 6.5.3 Attestation Types</a>). If doing so, the <a data-link-type="dfn" href="#relying-party" id="ref-for-relying-party②⑥⑨">Relying Party</a> is asserting there +the <a data-link-type="dfn" href="#relying-party" id="ref-for-relying-party②⑥⑧">Relying Party</a> SHOULD fail the <a data-link-type="dfn" href="#registration-ceremony" id="ref-for-registration-ceremony①⑤">registration ceremony</a>.</p> + <p class="note" role="note"><span class="marker">NOTE:</span> However, if permitted by policy, the <a data-link-type="dfn" href="#relying-party" id="ref-for-relying-party②⑥⑨">Relying Party</a> MAY register the <a data-link-type="dfn" href="#credential-id" id="ref-for-credential-id④①">credential ID</a> and credential public key but treat the + credential as one with <a data-link-type="dfn" href="#self-attestation" id="ref-for-self-attestation①⑥">self attestation</a> (see <a href="#sctn-attestation-types">§ 6.5.3 Attestation Types</a>). If doing so, the <a data-link-type="dfn" href="#relying-party" id="ref-for-relying-party②⑦⓪">Relying Party</a> is asserting there is no cryptographic proof that the <a data-link-type="dfn" href="#public-key-credential" id="ref-for-public-key-credential⑤⑥">public key credential</a> has been generated by a particular <a data-link-type="dfn" href="#authenticator" id="ref-for-authenticator②④⑦">authenticator</a> model. See <a data-link-type="biblio" href="#biblio-fidosecref" title="FIDO Security Reference">[FIDOSecRef]</a> and <a data-link-type="biblio" href="#biblio-uafprotocol" title="FIDO UAF Protocol Specification v1.0">[UAFProtocol]</a> for a more detailed discussion.</p> </ol> - <p>Verification of <a data-link-type="dfn" href="#attestation-object" id="ref-for-attestation-object①⑥">attestation objects</a> requires that the <a data-link-type="dfn" href="#relying-party" id="ref-for-relying-party②⑦⓪">Relying Party</a> has a trusted method of determining acceptable trust anchors + <p>Verification of <a data-link-type="dfn" href="#attestation-object" id="ref-for-attestation-object①⑥">attestation objects</a> requires that the <a data-link-type="dfn" href="#relying-party" id="ref-for-relying-party②⑦①">Relying Party</a> has a trusted method of determining acceptable trust anchors in <a href="#reg-ceremony-attestation-trust-anchors">step 23</a> above. -Also, if certificates are being used, the <a data-link-type="dfn" href="#relying-party" id="ref-for-relying-party②⑦①">Relying Party</a> MUST have access to certificate status information for the -intermediate CA certificates. The <a data-link-type="dfn" href="#relying-party" id="ref-for-relying-party②⑦②">Relying Party</a> MUST also be able to build the attestation certificate chain if the client did not +Also, if certificates are being used, the <a data-link-type="dfn" href="#relying-party" id="ref-for-relying-party②⑦②">Relying Party</a> MUST have access to certificate status information for the +intermediate CA certificates. The <a data-link-type="dfn" href="#relying-party" id="ref-for-relying-party②⑦③">Relying Party</a> MUST also be able to build the attestation certificate chain if the client did not provide this chain in the attestation information.</p> <h3 class="heading settled" data-level="7.2" id="sctn-verifying-assertion"><span class="secno">7.2. </span><span class="content">Verifying an Authentication Assertion</span><a class="self-link" href="#sctn-verifying-assertion"></a></h3> - <p>In order to perform an <a data-link-type="dfn" href="#authentication-ceremony" id="ref-for-authentication-ceremony③①">authentication ceremony</a>, the <a data-link-type="dfn" href="#relying-party" id="ref-for-relying-party②⑦③">Relying Party</a> MUST proceed as follows:</p> + <p>In order to perform an <a data-link-type="dfn" href="#authentication-ceremony" id="ref-for-authentication-ceremony③①">authentication ceremony</a>, the <a data-link-type="dfn" href="#relying-party" id="ref-for-relying-party②⑦④">Relying Party</a> MUST proceed as follows:</p> <ol> <li data-md> - <p>Let <var>options</var> be a new <code class="idl"><a data-link-type="idl" href="https://w3c.github.io/webappsec-credential-management/#dictdef-credentialrequestoptions" id="ref-for-dictdef-credentialrequestoptions③">CredentialRequestOptions</a></code> structure configured to the <a data-link-type="dfn" href="#relying-party" id="ref-for-relying-party②⑦④">Relying Party</a>'s needs for the ceremony. + <p>Let <var>options</var> be a new <code class="idl"><a data-link-type="idl" href="https://w3c.github.io/webappsec-credential-management/#dictdef-credentialrequestoptions" id="ref-for-dictdef-credentialrequestoptions③">CredentialRequestOptions</a></code> structure configured to the <a data-link-type="dfn" href="#relying-party" id="ref-for-relying-party②⑦⑤">Relying Party</a>'s needs for the ceremony. Let <var>pkOptions</var> be <code><var>options</var>.<code class="idl"><a data-link-type="idl" href="#dom-credentialrequestoptions-publickey" id="ref-for-dom-credentialrequestoptions-publickey④">publicKey</a></code></code>.</p> <li data-md> <p>Call <code class="idl"><a data-link-type="idl" href="https://w3c.github.io/webappsec-credential-management/#dom-credentialscontainer-get" id="ref-for-dom-credentialscontainer-get③②">navigator.credentials.get()</a></code> and pass <var>options</var> as the argument. @@ -6450,20 +6453,20 @@ <h3 class="heading settled" data-level="7.2" id="sctn-verifying-assertion"><span <li data-md> <p>Verify that the value of <code><var>C</var>.<code class="idl"><a data-link-type="idl" href="#dom-collectedclientdata-challenge" id="ref-for-dom-collectedclientdata-challenge⑦">challenge</a></code></code> equals the base64url encoding of <code><var>pkOptions</var>.<code class="idl"><a data-link-type="idl" href="#dom-publickeycredentialrequestoptions-challenge" id="ref-for-dom-publickeycredentialrequestoptions-challenge③">challenge</a></code></code>.</p> - <li id="rp-op-verifying-assertion-step-origin"><a class="self-link" href="#rp-op-verifying-assertion-step-origin"></a> Verify that the value of <code><var>C</var>.<code class="idl"><a data-link-type="idl" href="#dom-collectedclientdata-origin" id="ref-for-dom-collectedclientdata-origin⑧">origin</a></code></code> is an <a data-link-type="dfn" href="https://html.spec.whatwg.org/multipage/origin.html#concept-origin" id="ref-for-concept-origin①⑥">origin</a> expected by the <a data-link-type="dfn" href="#relying-party" id="ref-for-relying-party②⑦⑤">Relying Party</a>. + <li id="rp-op-verifying-assertion-step-origin"><a class="self-link" href="#rp-op-verifying-assertion-step-origin"></a> Verify that the value of <code><var>C</var>.<code class="idl"><a data-link-type="idl" href="#dom-collectedclientdata-origin" id="ref-for-dom-collectedclientdata-origin⑧">origin</a></code></code> is an <a data-link-type="dfn" href="https://html.spec.whatwg.org/multipage/origin.html#concept-origin" id="ref-for-concept-origin①⑥">origin</a> expected by the <a data-link-type="dfn" href="#relying-party" id="ref-for-relying-party②⑦⑥">Relying Party</a>. See <a href="#sctn-validating-origin">§ 13.4.9 Validating the origin of a credential</a> for guidance. <li data-md> <p>If <code><var>C</var>.<code class="idl"><a data-link-type="idl" href="#dom-collectedclientdata-toporigin" id="ref-for-dom-collectedclientdata-toporigin①①">topOrigin</a></code></code> is present:</p> <ol> <li data-md> - <p>Verify that the <a data-link-type="dfn" href="#relying-party" id="ref-for-relying-party②⑦⑥">Relying Party</a> expects this credential to be used within an iframe that is not <a data-link-type="dfn" href="https://w3c.github.io/webappsec-credential-management/#same-origin-with-its-ancestors" id="ref-for-same-origin-with-its-ancestors⑤">same-origin with its ancestors</a>.</p> + <p>Verify that the <a data-link-type="dfn" href="#relying-party" id="ref-for-relying-party②⑦⑦">Relying Party</a> expects this credential to be used within an iframe that is not <a data-link-type="dfn" href="https://w3c.github.io/webappsec-credential-management/#same-origin-with-its-ancestors" id="ref-for-same-origin-with-its-ancestors⑤">same-origin with its ancestors</a>.</p> <li data-md> <p>Verify that the value of <code><var>C</var>.<code class="idl"><a data-link-type="idl" href="#dom-collectedclientdata-toporigin" id="ref-for-dom-collectedclientdata-toporigin①②">topOrigin</a></code></code> matches the <a data-link-type="dfn" href="https://html.spec.whatwg.org/multipage/origin.html#concept-origin" id="ref-for-concept-origin①⑦">origin</a> of a page -that the <a data-link-type="dfn" href="#relying-party" id="ref-for-relying-party②⑦⑦">Relying Party</a> expects to be sub-framed within. +that the <a data-link-type="dfn" href="#relying-party" id="ref-for-relying-party②⑦⑧">Relying Party</a> expects to be sub-framed within. See <a href="#sctn-validating-origin">§ 13.4.9 Validating the origin of a credential</a> for guidance.</p> </ol> <li id="rp-op-verifying-assertion-step-rpid-hash"> - <a class="self-link" href="#rp-op-verifying-assertion-step-rpid-hash"></a> Verify that the <code><a data-link-type="dfn" href="#authdata-rpidhash" id="ref-for-authdata-rpidhash③">rpIdHash</a></code> in <var>authData</var> is the SHA-256 hash of the <a data-link-type="dfn" href="#rp-id" id="ref-for-rp-id④②">RP ID</a> expected by the <a data-link-type="dfn" href="#relying-party" id="ref-for-relying-party②⑦⑧">Relying Party</a>. + <a class="self-link" href="#rp-op-verifying-assertion-step-rpid-hash"></a> Verify that the <code><a data-link-type="dfn" href="#authdata-rpidhash" id="ref-for-authdata-rpidhash③">rpIdHash</a></code> in <var>authData</var> is the SHA-256 hash of the <a data-link-type="dfn" href="#rp-id" id="ref-for-rp-id④④">RP ID</a> expected by the <a data-link-type="dfn" href="#relying-party" id="ref-for-relying-party②⑦⑨">Relying Party</a>. <p class="note" role="note"><span class="marker">Note:</span> If using the <a data-link-type="dfn" href="#appid" id="ref-for-appid①">appid</a> extension, this step needs some special logic. See <a href="#sctn-appid-extension">§ 10.1.1 FIDO AppID Extension (appid)</a> for details.</p> <li data-md> <p>Verify that the <a data-link-type="dfn" href="#authdata-flags-up" id="ref-for-authdata-flags-up④">UP</a> bit of the <code><a data-link-type="dfn" href="#authdata-flags" id="ref-for-authdata-flags④⑥">flags</a></code> in <var>authData</var> is set.</p> @@ -6475,7 +6478,7 @@ <h3 class="heading settled" data-level="7.2" id="sctn-verifying-assertion"><span <li data-md> <p>If the <a data-link-type="dfn" href="#authdata-flags-be" id="ref-for-authdata-flags-be①⓪">BE</a> bit of the <code><a data-link-type="dfn" href="#authdata-flags" id="ref-for-authdata-flags④⑨">flags</a></code> in <var>authData</var> is not set, verify that the <a data-link-type="dfn" href="#authdata-flags-bs" id="ref-for-authdata-flags-bs①②">BS</a> bit is not set.</p> <li data-md> - <p>If the credential <a data-link-type="dfn" href="#backup-state" id="ref-for-backup-state④">backup state</a> is used as part of <a data-link-type="dfn" href="#relying-party" id="ref-for-relying-party②⑦⑨">Relying Party</a> business logic or policy, + <p>If the credential <a data-link-type="dfn" href="#backup-state" id="ref-for-backup-state④">backup state</a> is used as part of <a data-link-type="dfn" href="#relying-party" id="ref-for-relying-party②⑧⓪">Relying Party</a> business logic or policy, let <var>currentBe</var> and <var>currentBs</var> be the values of the <a data-link-type="dfn" href="#authdata-flags-be" id="ref-for-authdata-flags-be①①">BE</a> and <a data-link-type="dfn" href="#authdata-flags-bs" id="ref-for-authdata-flags-bs①③">BS</a> bits, respectively, of the <code><a data-link-type="dfn" href="#authdata-flags" id="ref-for-authdata-flags⑤⓪">flags</a></code> in <var>authData</var>. Compare <var>currentBe</var> and <var>currentBs</var> with <code><var>credentialRecord</var>.<a data-link-type="abstract-op" href="#abstract-opdef-credential-record-backupeligible" id="ref-for-abstract-opdef-credential-record-backupeligible①">backupEligible</a></code> and <code><var>credentialRecord</var>.<a data-link-type="abstract-op" href="#abstract-opdef-credential-record-backupstate" id="ref-for-abstract-opdef-credential-record-backupstate①">backupState</a></code>:</p> @@ -6485,18 +6488,18 @@ <h3 class="heading settled" data-level="7.2" id="sctn-verifying-assertion"><span <li data-md> <p>If <code><var>credentialRecord</var>.<a data-link-type="abstract-op" href="#abstract-opdef-credential-record-backupeligible" id="ref-for-abstract-opdef-credential-record-backupeligible③">backupEligible</a></code> is not set, verify that <var>currentBe</var> is not set.</p> <li data-md> - <p>Apply <a data-link-type="dfn" href="#relying-party" id="ref-for-relying-party②⑧⓪">Relying Party</a> policy, if any.</p> + <p>Apply <a data-link-type="dfn" href="#relying-party" id="ref-for-relying-party②⑧①">Relying Party</a> policy, if any.</p> </ol> - <p class="note" role="note"><span class="marker">Note:</span> See <a href="#sctn-credential-backup">§ 6.1.3 Credential Backup State</a> for examples of how a <a data-link-type="dfn" href="#relying-party" id="ref-for-relying-party②⑧①">Relying Party</a> might process the <a data-link-type="dfn" href="#authdata-flags-bs" id="ref-for-authdata-flags-bs①④">BS</a> <a data-link-type="dfn" href="#authdata-flags" id="ref-for-authdata-flags⑤①">flag</a> values.</p> + <p class="note" role="note"><span class="marker">Note:</span> See <a href="#sctn-credential-backup">§ 6.1.3 Credential Backup State</a> for examples of how a <a data-link-type="dfn" href="#relying-party" id="ref-for-relying-party②⑧②">Relying Party</a> might process the <a data-link-type="dfn" href="#authdata-flags-bs" id="ref-for-authdata-flags-bs①④">BS</a> <a data-link-type="dfn" href="#authdata-flags" id="ref-for-authdata-flags⑤①">flag</a> values.</p> <li id="authn-ceremony-verify-extension-outputs"> <a class="self-link" href="#authn-ceremony-verify-extension-outputs"></a> Verify that the values of the <a data-link-type="dfn" href="#client-extension-output" id="ref-for-client-extension-output⑧">client extension outputs</a> in <var>clientExtensionResults</var> and the <a data-link-type="dfn" href="#authenticator-extension-output" id="ref-for-authenticator-extension-output⑤">authenticator extension outputs</a> in the <code><a data-link-type="dfn" href="#authdata-extensions" id="ref-for-authdata-extensions⑧">extensions</a></code> in <var>authData</var> are as expected, considering the <a data-link-type="dfn" href="#client-extension-input" id="ref-for-client-extension-input⑥">client - extension input</a> values that were given in <code><var>pkOptions</var>.<code class="idl"><a data-link-type="idl" href="#dom-publickeycredentialrequestoptions-extensions" id="ref-for-dom-publickeycredentialrequestoptions-extensions④">extensions</a></code></code> and any specific policy of the <a data-link-type="dfn" href="#relying-party" id="ref-for-relying-party②⑧②">Relying Party</a> regarding unsolicited extensions, i.e., those that were not specified as part of <code><var>pkOptions</var>.<code class="idl"><a data-link-type="idl" href="#dom-publickeycredentialrequestoptions-extensions" id="ref-for-dom-publickeycredentialrequestoptions-extensions⑤">extensions</a></code></code>. - In the general case, the meaning of "are as expected" is specific to the <a data-link-type="dfn" href="#relying-party" id="ref-for-relying-party②⑧③">Relying Party</a> and which extensions are in use. - <p class="note" role="note"><span class="marker">Note:</span> <a data-link-type="dfn" href="#client-platform" id="ref-for-client-platform⑤①">Client platforms</a> MAY enact local policy that sets additional <a data-link-type="dfn" href="#authenticator-extension" id="ref-for-authenticator-extension④">authenticator extensions</a> or <a data-link-type="dfn" href="#client-extension" id="ref-for-client-extension③">client extensions</a> and thus cause values to appear in the <a data-link-type="dfn" href="#authenticator-extension-output" id="ref-for-authenticator-extension-output⑥">authenticator extension outputs</a> or <a data-link-type="dfn" href="#client-extension-output" id="ref-for-client-extension-output⑨">client extension outputs</a> that were not originally specified as part of <code><var>pkOptions</var>.<code class="idl"><a data-link-type="idl" href="#dom-publickeycredentialrequestoptions-extensions" id="ref-for-dom-publickeycredentialrequestoptions-extensions⑥">extensions</a></code></code>. <a data-link-type="dfn" href="#relying-party" id="ref-for-relying-party②⑧④">Relying Parties</a> MUST be prepared to handle such - situations, whether it be to ignore the unsolicited extensions or reject the assertion. The <a data-link-type="dfn" href="#relying-party" id="ref-for-relying-party②⑧⑤">Relying Party</a> can make this + extension input</a> values that were given in <code><var>pkOptions</var>.<code class="idl"><a data-link-type="idl" href="#dom-publickeycredentialrequestoptions-extensions" id="ref-for-dom-publickeycredentialrequestoptions-extensions④">extensions</a></code></code> and any specific policy of the <a data-link-type="dfn" href="#relying-party" id="ref-for-relying-party②⑧③">Relying Party</a> regarding unsolicited extensions, i.e., those that were not specified as part of <code><var>pkOptions</var>.<code class="idl"><a data-link-type="idl" href="#dom-publickeycredentialrequestoptions-extensions" id="ref-for-dom-publickeycredentialrequestoptions-extensions⑤">extensions</a></code></code>. + In the general case, the meaning of "are as expected" is specific to the <a data-link-type="dfn" href="#relying-party" id="ref-for-relying-party②⑧④">Relying Party</a> and which extensions are in use. + <p class="note" role="note"><span class="marker">Note:</span> <a data-link-type="dfn" href="#client-platform" id="ref-for-client-platform⑤①">Client platforms</a> MAY enact local policy that sets additional <a data-link-type="dfn" href="#authenticator-extension" id="ref-for-authenticator-extension④">authenticator extensions</a> or <a data-link-type="dfn" href="#client-extension" id="ref-for-client-extension③">client extensions</a> and thus cause values to appear in the <a data-link-type="dfn" href="#authenticator-extension-output" id="ref-for-authenticator-extension-output⑥">authenticator extension outputs</a> or <a data-link-type="dfn" href="#client-extension-output" id="ref-for-client-extension-output⑨">client extension outputs</a> that were not originally specified as part of <code><var>pkOptions</var>.<code class="idl"><a data-link-type="idl" href="#dom-publickeycredentialrequestoptions-extensions" id="ref-for-dom-publickeycredentialrequestoptions-extensions⑥">extensions</a></code></code>. <a data-link-type="dfn" href="#relying-party" id="ref-for-relying-party②⑧⑤">Relying Parties</a> MUST be prepared to handle such + situations, whether it be to ignore the unsolicited extensions or reject the assertion. The <a data-link-type="dfn" href="#relying-party" id="ref-for-relying-party②⑧⑥">Relying Party</a> can make this decision based on local policy and the extensions in use.</p> - <p class="note" role="note"><span class="marker">Note:</span> Since all extensions are OPTIONAL for both the <a data-link-type="dfn" href="#client" id="ref-for-client⑨⑥">client</a> and the <a data-link-type="dfn" href="#authenticator" id="ref-for-authenticator②④⑧">authenticator</a>, the <a data-link-type="dfn" href="#relying-party" id="ref-for-relying-party②⑧⑥">Relying Party</a> MUST also be + <p class="note" role="note"><span class="marker">Note:</span> Since all extensions are OPTIONAL for both the <a data-link-type="dfn" href="#client" id="ref-for-client⑨⑦">client</a> and the <a data-link-type="dfn" href="#authenticator" id="ref-for-authenticator②④⑧">authenticator</a>, the <a data-link-type="dfn" href="#relying-party" id="ref-for-relying-party②⑧⑦">Relying Party</a> MUST also be prepared to handle cases where none or not all of the requested extensions were acted upon.</p> <li data-md> <p>Let <var>hash</var> be the result of computing a hash over the <var>cData</var> using SHA-256.</p> @@ -6517,9 +6520,9 @@ <h3 class="heading settled" data-level="7.2" id="sctn-verifying-assertion"><span <dd>This is a signal that the authenticator may be cloned, i.e. at least two copies of the <a data-link-type="dfn" href="#credential-private-key" id="ref-for-credential-private-key①⑥">credential private key</a> may exist and are - being used in parallel. <a data-link-type="dfn" href="#relying-party" id="ref-for-relying-party②⑧⑦">Relying Parties</a> should incorporate this information + being used in parallel. <a data-link-type="dfn" href="#relying-party" id="ref-for-relying-party②⑧⑧">Relying Parties</a> should incorporate this information into their risk scoring. - Whether the <a data-link-type="dfn" href="#relying-party" id="ref-for-relying-party②⑧⑧">Relying Party</a> updates <code><var>credentialRecord</var>.<a data-link-type="abstract-op" href="#abstract-opdef-credential-record-signcount" id="ref-for-abstract-opdef-credential-record-signcount④">signCount</a></code> below in this case, or not, or fails the <a data-link-type="dfn" href="#authentication-ceremony" id="ref-for-authentication-ceremony③④">authentication ceremony</a> or not, is <a data-link-type="dfn" href="#relying-party" id="ref-for-relying-party②⑧⑨">Relying Party</a>-specific. + Whether the <a data-link-type="dfn" href="#relying-party" id="ref-for-relying-party②⑧⑨">Relying Party</a> updates <code><var>credentialRecord</var>.<a data-link-type="abstract-op" href="#abstract-opdef-credential-record-signcount" id="ref-for-abstract-opdef-credential-record-signcount④">signCount</a></code> below in this case, or not, or fails the <a data-link-type="dfn" href="#authentication-ceremony" id="ref-for-authentication-ceremony③④">authentication ceremony</a> or not, is <a data-link-type="dfn" href="#relying-party" id="ref-for-relying-party②⑨⓪">Relying Party</a>-specific. </dl> </ul> <li id="authn-ceremony-update-credential-record"> @@ -6535,7 +6538,7 @@ <h3 class="heading settled" data-level="7.2" id="sctn-verifying-assertion"><span This change SHOULD require authorization by an additional <a data-link-type="dfn" href="https://pages.nist.gov/800-63-3/sp800-63-3.html#af" id="ref-for-af②④">authentication factor</a> equivalent to WebAuthn <a data-link-type="dfn" href="#user-verification" id="ref-for-user-verification⑤⓪">user verification</a>; if not authorized, skip this step.</p> </ol> - <p>If the <a data-link-type="dfn" href="#relying-party" id="ref-for-relying-party②⑨⓪">Relying Party</a> performs additional security checks beyond these WebAuthn <a data-link-type="dfn" href="#authentication-ceremony" id="ref-for-authentication-ceremony③⑤">authentication ceremony</a> steps, + <p>If the <a data-link-type="dfn" href="#relying-party" id="ref-for-relying-party②⑨①">Relying Party</a> performs additional security checks beyond these WebAuthn <a data-link-type="dfn" href="#authentication-ceremony" id="ref-for-authentication-ceremony③⑤">authentication ceremony</a> steps, the above state updates SHOULD be deferred to after those additional checks are completed successfully.</p> <li data-md> <p>If all the above steps are successful, continue with the <a data-link-type="dfn" href="#authentication-ceremony" id="ref-for-authentication-ceremony③⑥">authentication ceremony</a> as appropriate. Otherwise, fail the <a data-link-type="dfn" href="#authentication-ceremony" id="ref-for-authentication-ceremony③⑦">authentication ceremony</a>.</p> @@ -6682,8 +6685,8 @@ <h4 class="heading settled" data-level="8.2.1" id="sctn-packed-attestation-cert- <li data-md> <p>If the related attestation root certificate is used for multiple authenticator models, the Extension OID <code>1.3.6.1.4.1.45724.1.1.4</code> (<code>id-fido-gen-ce-aaguid</code>) MUST be present, containing the AAGUID as a 16-byte OCTET STRING. The extension MUST NOT be marked as critical.</p> - <p>As <a data-link-type="dfn" href="#relying-party" id="ref-for-relying-party②⑨①">Relying Parties</a> may not know if the attestation root -certificate is used for multiple authenticator models, it is suggested that <a data-link-type="dfn" href="#relying-party" id="ref-for-relying-party②⑨②">Relying Parties</a> check if the extension + <p>As <a data-link-type="dfn" href="#relying-party" id="ref-for-relying-party②⑨②">Relying Parties</a> may not know if the attestation root +certificate is used for multiple authenticator models, it is suggested that <a data-link-type="dfn" href="#relying-party" id="ref-for-relying-party②⑨③">Relying Parties</a> check if the extension is present, and if it is, then validate that it contains that same AAGUID as presented in the <a data-link-type="dfn" href="#attestation-object" id="ref-for-attestation-object①⑦">attestation object</a>.</p> <p>Note that an X.509 Extension encodes the DER-encoding of the value in an OCTET STRING. Thus, the AAGUID MUST be wrapped in <i>two</i> OCTET STRINGS to be valid.</p> @@ -6900,7 +6903,7 @@ <h3 class="heading settled" data-level="8.4" id="sctn-android-key-attestation">< <ul> <li data-md> <p>The <code>AuthorizationList.allApplications</code> field is <em>not</em> present on either authorization list -(<code>softwareEnforced</code> nor <code>teeEnforced</code>), since PublicKeyCredential MUST be <a data-link-type="dfn" href="#scope" id="ref-for-scope①⑥">scoped</a> to the <a data-link-type="dfn" href="#rp-id" id="ref-for-rp-id④③">RP ID</a>.</p> +(<code>softwareEnforced</code> nor <code>teeEnforced</code>), since PublicKeyCredential MUST be <a data-link-type="dfn" href="#scope" id="ref-for-scope①⑥">scoped</a> to the <a data-link-type="dfn" href="#rp-id" id="ref-for-rp-id④⑤">RP ID</a>.</p> <li data-md> <p>For the following, use only the <code>teeEnforced</code> authorization list if the RP wants to accept only keys from a trusted execution environment, otherwise use the union of <code>teeEnforced</code> and <code>softwareEnforced</code>.</p> @@ -7014,7 +7017,7 @@ <h3 class="heading settled" data-level="8.6" id="sctn-fido-u2f-attestation"><spa <dt data-md>sig <dd data-md> <p>The <a data-link-type="dfn" href="#attestation-signature" id="ref-for-attestation-signature①④">attestation signature</a>. -The signature was calculated over the (raw) U2F registration response message <a data-link-type="biblio" href="#biblio-fido-u2f-message-formats" title="FIDO U2F Raw Message Formats">[FIDO-U2F-Message-Formats]</a> received by the <a data-link-type="dfn" href="#client" id="ref-for-client⑨⑦">client</a> from the authenticator.</p> +The signature was calculated over the (raw) U2F registration response message <a data-link-type="biblio" href="#biblio-fido-u2f-message-formats" title="FIDO U2F Raw Message Formats">[FIDO-U2F-Message-Formats]</a> received by the <a data-link-type="dfn" href="#client" id="ref-for-client⑨⑧">client</a> from the authenticator.</p> </dl> <dt data-md>Signing procedure <dd data-md> @@ -7023,7 +7026,7 @@ <h3 class="heading settled" data-level="8.6" id="sctn-fido-u2f-attestation"><spa and let <var>clientDataHash</var> denote the <a data-link-type="dfn" href="#collectedclientdata-hash-of-the-serialized-client-data" id="ref-for-collectedclientdata-hash-of-the-serialized-client-data①⑨">hash of the serialized client data</a>. (Since SHA-256 is used to hash the serialized <a data-link-type="dfn" href="#client-data" id="ref-for-client-data①①">client data</a>, <var>clientDataHash</var> will be 32 bytes long.)</p> <p>Generate a Registration Response Message as specified in <a data-link-type="biblio" href="#biblio-fido-u2f-message-formats" title="FIDO U2F Raw Message Formats">[FIDO-U2F-Message-Formats]</a> <a data-link-type="dfn" href="https://fidoalliance.org/specs/fido-u2f-v1.1-id-20160915/fido-u2f-raw-message-formats-v1.1-id-20160915.html#registration-response-message-success" id="ref-for-registration-response-message-success">Section 4.3</a>, with the application parameter set to the -SHA-256 hash of the <a data-link-type="dfn" href="#rp-id" id="ref-for-rp-id④④">RP ID</a> that the given <a data-link-type="dfn" href="#public-key-credential" id="ref-for-public-key-credential⑤⑧">credential</a> is <a data-link-type="dfn" href="#scope" id="ref-for-scope①⑦">scoped</a> to, the challenge parameter set to <var>clientDataHash</var>, and the key handle +SHA-256 hash of the <a data-link-type="dfn" href="#rp-id" id="ref-for-rp-id④⑥">RP ID</a> that the given <a data-link-type="dfn" href="#public-key-credential" id="ref-for-public-key-credential⑤⑧">credential</a> is <a data-link-type="dfn" href="#scope" id="ref-for-scope①⑦">scoped</a> to, the challenge parameter set to <var>clientDataHash</var>, and the key handle parameter set to the <a data-link-type="dfn" href="#credential-id" id="ref-for-credential-id④②">credential ID</a> of the given credential. Set the raw signature part of this Registration Response Message (i.e., without the <a data-link-type="dfn" href="#user-public-key" id="ref-for-user-public-key①">user public key</a>, key handle, and attestation certificates) as <var>sig</var> and set the attestation certificates of the attestation public key as <var>x5c</var>.</p> @@ -7187,9 +7190,9 @@ <h3 class="heading settled" data-level="8.9" id="sctn-compound-attestation"><spa <ol> <li data-md> <p><a data-link-type="dfn" href="https://infra.spec.whatwg.org/#list-iterate" id="ref-for-list-iterate②①">For each</a> <var>subStmt</var> of <var>attStmt</var>, evaluate the <a data-link-type="dfn" href="#verification-procedure" id="ref-for-verification-procedure①③">verification procedure</a> corresponding to the <a data-link-type="dfn" href="#attestation-statement-format-identifier" id="ref-for-attestation-statement-format-identifier⑤">attestation statement format identifier</a> <code><var>subStmt</var>.fmt</code> with <a data-link-type="dfn" href="#verification-procedure-inputs" id="ref-for-verification-procedure-inputs⑥">verification procedure inputs</a> <var>subStmt</var>, <var>authenticatorData</var> and <var>clientDataHash</var>.</p> - <p>If validation fails for one or more <var>subStmt</var>, decide the appropriate result based on <a data-link-type="dfn" href="#relying-party" id="ref-for-relying-party②⑨③">Relying Party</a> policy.</p> + <p>If validation fails for one or more <var>subStmt</var>, decide the appropriate result based on <a data-link-type="dfn" href="#relying-party" id="ref-for-relying-party②⑨④">Relying Party</a> policy.</p> <li data-md> - <p>If sufficiently many (as determined by <a data-link-type="dfn" href="#relying-party" id="ref-for-relying-party②⑨④">Relying Party</a> policy) <a data-link-type="dfn" href="https://infra.spec.whatwg.org/#list-item" id="ref-for-list-item①③">items</a> of <var>attStmt</var> verify successfully, + <p>If sufficiently many (as determined by <a data-link-type="dfn" href="#relying-party" id="ref-for-relying-party②⑨⑤">Relying Party</a> policy) <a data-link-type="dfn" href="https://infra.spec.whatwg.org/#list-item" id="ref-for-list-item①③">items</a> of <var>attStmt</var> verify successfully, return implementation-specific values representing any combination of outputs from successful <a data-link-type="dfn" href="#verification-procedure" id="ref-for-verification-procedure①④">verification procedures</a>.</p> </ol> </dl> @@ -7208,9 +7211,9 @@ <h2 class="heading settled" data-level="9" id="sctn-extensions"><span class="sec <p><a data-link-type="dfn" href="#client-extension-processing" id="ref-for-client-extension-processing⑥">Client extension processing</a> for <a data-link-type="dfn" href="#registration-extension" id="ref-for-registration-extension③">registration extensions</a> and <a data-link-type="dfn" href="#authentication-extension" id="ref-for-authentication-extension③">authentication extensions</a>.</p> </ul> <p>When creating a <a data-link-type="dfn" href="#public-key-credential" id="ref-for-public-key-credential⑥⓪">public key credential</a> or requesting an <a data-link-type="dfn" href="#authentication-assertion" id="ref-for-authentication-assertion①③">authentication assertion</a>, a <a data-link-type="dfn" href="#webauthn-relying-party" id="ref-for-webauthn-relying-party⑤④">WebAuthn Relying Party</a> can request the use of a set -of extensions. These extensions will be invoked during the requested operation if they are supported by the client and/or the <a data-link-type="dfn" href="#webauthn-authenticator" id="ref-for-webauthn-authenticator⑨">WebAuthn Authenticator</a>. The <a data-link-type="dfn" href="#relying-party" id="ref-for-relying-party②⑨⑤">Relying Party</a> sends the <a data-link-type="dfn" href="#client-extension-input" id="ref-for-client-extension-input⑦">client extension input</a> for each extension in the <code class="idl"><a data-link-type="idl" href="https://w3c.github.io/webappsec-credential-management/#dom-credentialscontainer-get" id="ref-for-dom-credentialscontainer-get③④">get()</a></code> call -(for <a data-link-type="dfn" href="#authentication-extension" id="ref-for-authentication-extension④">authentication extensions</a>) or <code class="idl"><a data-link-type="idl" href="https://w3c.github.io/webappsec-credential-management/#dom-credentialscontainer-create" id="ref-for-dom-credentialscontainer-create③①">create()</a></code> call (for <a data-link-type="dfn" href="#registration-extension" id="ref-for-registration-extension④">registration extensions</a>) to the <a data-link-type="dfn" href="#client" id="ref-for-client⑨⑧">client</a>. -The <a data-link-type="dfn" href="#client" id="ref-for-client⑨⑨">client</a> performs <a data-link-type="dfn" href="#client-extension-processing" id="ref-for-client-extension-processing⑦">client extension processing</a> for each extension that the <a data-link-type="dfn" href="#client-platform" id="ref-for-client-platform⑤②">client platform</a> supports, and augments the <a data-link-type="dfn" href="#client-data" id="ref-for-client-data①③">client data</a> as specified by each extension, by including the <a data-link-type="dfn" href="#extension-identifier" id="ref-for-extension-identifier①⓪">extension identifier</a> and <a data-link-type="dfn" href="#client-extension-output" id="ref-for-client-extension-output①⓪">client extension output</a> values.</p> +of extensions. These extensions will be invoked during the requested operation if they are supported by the client and/or the <a data-link-type="dfn" href="#webauthn-authenticator" id="ref-for-webauthn-authenticator⑨">WebAuthn Authenticator</a>. The <a data-link-type="dfn" href="#relying-party" id="ref-for-relying-party②⑨⑥">Relying Party</a> sends the <a data-link-type="dfn" href="#client-extension-input" id="ref-for-client-extension-input⑦">client extension input</a> for each extension in the <code class="idl"><a data-link-type="idl" href="https://w3c.github.io/webappsec-credential-management/#dom-credentialscontainer-get" id="ref-for-dom-credentialscontainer-get③④">get()</a></code> call +(for <a data-link-type="dfn" href="#authentication-extension" id="ref-for-authentication-extension④">authentication extensions</a>) or <code class="idl"><a data-link-type="idl" href="https://w3c.github.io/webappsec-credential-management/#dom-credentialscontainer-create" id="ref-for-dom-credentialscontainer-create③①">create()</a></code> call (for <a data-link-type="dfn" href="#registration-extension" id="ref-for-registration-extension④">registration extensions</a>) to the <a data-link-type="dfn" href="#client" id="ref-for-client⑨⑨">client</a>. +The <a data-link-type="dfn" href="#client" id="ref-for-client①⓪⓪">client</a> performs <a data-link-type="dfn" href="#client-extension-processing" id="ref-for-client-extension-processing⑦">client extension processing</a> for each extension that the <a data-link-type="dfn" href="#client-platform" id="ref-for-client-platform⑤②">client platform</a> supports, and augments the <a data-link-type="dfn" href="#client-data" id="ref-for-client-data①③">client data</a> as specified by each extension, by including the <a data-link-type="dfn" href="#extension-identifier" id="ref-for-extension-identifier①⓪">extension identifier</a> and <a data-link-type="dfn" href="#client-extension-output" id="ref-for-client-extension-output①⓪">client extension output</a> values.</p> <p>An extension can also be an <dfn class="dfn-paneled" data-dfn-type="dfn" data-noexport id="authenticator-extension">authenticator extension</dfn>, meaning that the extension involves communication with and processing by the authenticator. <a data-link-type="dfn" href="#authenticator-extension" id="ref-for-authenticator-extension⑤">Authenticator extensions</a> define the following steps and data:</p> <ul> @@ -7228,11 +7231,11 @@ <h2 class="heading settled" data-level="9" id="sctn-extensions"><span class="sec Since <a data-link-type="dfn" href="#authenticator-extension-output" id="ref-for-authenticator-extension-output⑧">authenticator extension output</a> is returned as part of the signed <a data-link-type="dfn" href="#authenticator-data" id="ref-for-authenticator-data④⑦">authenticator data</a>, authenticator extensions MAY also specify an <a data-link-type="dfn" href="#unsigned-extension-outputs" id="ref-for-unsigned-extension-outputs">unsigned extension output</a>, e.g. for cases where an output itself depends on <a data-link-type="dfn" href="#authenticator-data" id="ref-for-authenticator-data④⑧">authenticator data</a>. Part of the <a data-link-type="dfn" href="#client-extension-processing" id="ref-for-client-extension-processing⑨">client extension processing</a> for <a data-link-type="dfn" href="#authenticator-extension" id="ref-for-authenticator-extension⑦">authenticator extensions</a> is to use the <a data-link-type="dfn" href="#authenticator-extension-output" id="ref-for-authenticator-extension-output⑨">authenticator extension output</a> and <a data-link-type="dfn" href="#unsigned-extension-outputs" id="ref-for-unsigned-extension-outputs①">unsigned extension output</a> as an input to creating the <a data-link-type="dfn" href="#client-extension-output" id="ref-for-client-extension-output①①">client extension output</a>.</p> - <p>All <a data-link-type="dfn" href="#webauthn-extensions" id="ref-for-webauthn-extensions①⓪">WebAuthn Extensions</a> are OPTIONAL for both clients and authenticators. Thus, any extensions requested by a <a data-link-type="dfn" href="#relying-party" id="ref-for-relying-party②⑨⑥">Relying Party</a> MAY be + <p>All <a data-link-type="dfn" href="#webauthn-extensions" id="ref-for-webauthn-extensions①⓪">WebAuthn Extensions</a> are OPTIONAL for both clients and authenticators. Thus, any extensions requested by a <a data-link-type="dfn" href="#relying-party" id="ref-for-relying-party②⑨⑦">Relying Party</a> MAY be ignored by the client browser or OS and not passed to the authenticator at all, or they MAY be ignored by the authenticator. -Ignoring an extension is never considered a failure in WebAuthn API processing, so when <a data-link-type="dfn" href="#relying-party" id="ref-for-relying-party②⑨⑦">Relying Parties</a> include extensions with any +Ignoring an extension is never considered a failure in WebAuthn API processing, so when <a data-link-type="dfn" href="#relying-party" id="ref-for-relying-party②⑨⑧">Relying Parties</a> include extensions with any API calls, they MUST be prepared to handle cases where some or all of those extensions are ignored.</p> - <p>All <a data-link-type="dfn" href="#webauthn-extensions" id="ref-for-webauthn-extensions①①">WebAuthn Extensions</a> MUST be defined in such a way that lack of support for them by the <a data-link-type="dfn" href="#client" id="ref-for-client①⓪⓪">client</a> or <a data-link-type="dfn" href="#authenticator" id="ref-for-authenticator②⑤⑤">authenticator</a> does not endanger the user’s security or privacy. + <p>All <a data-link-type="dfn" href="#webauthn-extensions" id="ref-for-webauthn-extensions①①">WebAuthn Extensions</a> MUST be defined in such a way that lack of support for them by the <a data-link-type="dfn" href="#client" id="ref-for-client①⓪①">client</a> or <a data-link-type="dfn" href="#authenticator" id="ref-for-authenticator②⑤⑤">authenticator</a> does not endanger the user’s security or privacy. For instance, if an extension requires client processing, it could be defined in a manner that ensures that a naïve pass-through that simply transcodes <a data-link-type="dfn" href="#client-extension-input" id="ref-for-client-extension-input⑨">client extension inputs</a> from JSON to CBOR will produce a semantically invalid <a data-link-type="dfn" href="#authenticator-extension-input" id="ref-for-authenticator-extension-input⑧">authenticator extension input</a> value, resulting in the extension @@ -7263,7 +7266,7 @@ <h3 class="heading settled" data-level="9.2" id="sctn-extension-specification">< the <a data-link-type="dfn" href="#authenticator-extension-processing" id="ref-for-authenticator-extension-processing③">authenticator extension processing</a> rules, and the <a data-link-type="dfn" href="#cbor" id="ref-for-cbor①⑤">CBOR</a> <a data-link-type="dfn" href="#authenticator-extension-output" id="ref-for-authenticator-extension-output①⓪">authenticator extension output</a> value. Extensions MAY specify <a data-link-type="dfn" href="#unsigned-extension-outputs" id="ref-for-unsigned-extension-outputs②">unsigned extension outputs</a>.</p> <p>Any <a data-link-type="dfn" href="#client-extension" id="ref-for-client-extension⑤">client extension</a> that is processed by the client MUST return a <a data-link-type="dfn" href="#client-extension-output" id="ref-for-client-extension-output①③">client extension output</a> value so that the <a data-link-type="dfn" href="#webauthn-relying-party" id="ref-for-webauthn-relying-party⑤⑤">WebAuthn Relying Party</a> knows that the extension was honored by the client. Similarly, any extension that requires authenticator processing MUST return -an <a data-link-type="dfn" href="#authenticator-extension-output" id="ref-for-authenticator-extension-output①①">authenticator extension output</a> to let the <a data-link-type="dfn" href="#relying-party" id="ref-for-relying-party②⑨⑧">Relying Party</a> know that the extension was honored by the authenticator. If an +an <a data-link-type="dfn" href="#authenticator-extension-output" id="ref-for-authenticator-extension-output①①">authenticator extension output</a> to let the <a data-link-type="dfn" href="#relying-party" id="ref-for-relying-party②⑨⑨">Relying Party</a> know that the extension was honored by the authenticator. If an extension does not otherwise require any result values, it SHOULD be defined as returning a JSON Boolean <a data-link-type="dfn" href="#client-extension-output" id="ref-for-client-extension-output①④">client extension output</a> result, set to <code>true</code> to signify that the extension was understood and processed. Likewise, any <a data-link-type="dfn" href="#authenticator-extension" id="ref-for-authenticator-extension⑨">authenticator extension</a> that does not otherwise require any result values MUST return a value and SHOULD return a CBOR Boolean <a data-link-type="dfn" href="#authenticator-extension-output" id="ref-for-authenticator-extension-output①②">authenticator extension output</a> result, set to <code>true</code> to signify that the extension was understood and processed.</p> @@ -7273,7 +7276,7 @@ <h3 class="heading settled" data-level="9.3" id="sctn-extension-request-paramete in the <code class="idl"><a data-link-type="idl" href="https://w3c.github.io/webappsec-credential-management/#dom-credentialscontainer-get" id="ref-for-dom-credentialscontainer-get③⑦">get()</a></code> or <code class="idl"><a data-link-type="idl" href="https://w3c.github.io/webappsec-credential-management/#dom-credentialscontainer-create" id="ref-for-dom-credentialscontainer-create③④">create()</a></code> call, while the <a data-link-type="dfn" href="#cbor" id="ref-for-cbor①⑥">CBOR</a> <dfn class="dfn-paneled" data-dfn-type="dfn" data-noexport id="authenticator-extension-input">authenticator extension input</dfn> is passed from the client to the authenticator for <a data-link-type="dfn" href="#authenticator-extension" id="ref-for-authenticator-extension①⓪">authenticator extensions</a> during the processing of these calls.</p> - <p>A <a data-link-type="dfn" href="#relying-party" id="ref-for-relying-party②⑨⑨">Relying Party</a> simultaneously requests the use of an extension and sets its <a data-link-type="dfn" href="#client-extension-input" id="ref-for-client-extension-input①①">client extension input</a> by including an entry in the <code class="idl"><a data-link-type="idl" href="#dom-publickeycredentialcreationoptions-extensions" id="ref-for-dom-publickeycredentialcreationoptions-extensions⑦">extensions</a></code> option to the <code class="idl"><a data-link-type="idl" href="https://w3c.github.io/webappsec-credential-management/#dom-credentialscontainer-create" id="ref-for-dom-credentialscontainer-create③⑤">create()</a></code> or <code class="idl"><a data-link-type="idl" href="https://w3c.github.io/webappsec-credential-management/#dom-credentialscontainer-get" id="ref-for-dom-credentialscontainer-get③⑧">get()</a></code> call. + <p>A <a data-link-type="dfn" href="#relying-party" id="ref-for-relying-party③⓪⓪">Relying Party</a> simultaneously requests the use of an extension and sets its <a data-link-type="dfn" href="#client-extension-input" id="ref-for-client-extension-input①①">client extension input</a> by including an entry in the <code class="idl"><a data-link-type="idl" href="#dom-publickeycredentialcreationoptions-extensions" id="ref-for-dom-publickeycredentialcreationoptions-extensions⑦">extensions</a></code> option to the <code class="idl"><a data-link-type="idl" href="https://w3c.github.io/webappsec-credential-management/#dom-credentialscontainer-create" id="ref-for-dom-credentialscontainer-create③⑤">create()</a></code> or <code class="idl"><a data-link-type="idl" href="https://w3c.github.io/webappsec-credential-management/#dom-credentialscontainer-get" id="ref-for-dom-credentialscontainer-get③⑧">get()</a></code> call. The entry key is the <a data-link-type="dfn" href="#extension-identifier" id="ref-for-extension-identifier①③">extension identifier</a> and the value is the <a data-link-type="dfn" href="#client-extension-input" id="ref-for-client-extension-input①②">client extension input</a>.</p> <p class="note" role="note"><span class="marker">Note:</span> Other documents have specified extensions where the extension input does not always use the <a data-link-type="dfn" href="#extension-identifier" id="ref-for-extension-identifier①④">extension identifier</a> as the entry key. New extensions SHOULD follow the above convention.</p> @@ -7292,8 +7295,8 @@ <h3 class="heading settled" data-level="9.3" id="sctn-extension-request-paramete <c- p>});</c-> </pre> <p>Extension definitions MUST specify the valid values for their <a data-link-type="dfn" href="#client-extension-input" id="ref-for-client-extension-input①③">client extension input</a>. Clients SHOULD ignore extensions with -an invalid <a data-link-type="dfn" href="#client-extension-input" id="ref-for-client-extension-input①④">client extension input</a>. If an extension does not require any parameters from the <a data-link-type="dfn" href="#relying-party" id="ref-for-relying-party③⓪⓪">Relying Party</a>, it SHOULD be defined -as taking a Boolean client argument, set to <code>true</code> to signify that the extension is requested by the <a data-link-type="dfn" href="#relying-party" id="ref-for-relying-party③⓪①">Relying Party</a>.</p> +an invalid <a data-link-type="dfn" href="#client-extension-input" id="ref-for-client-extension-input①④">client extension input</a>. If an extension does not require any parameters from the <a data-link-type="dfn" href="#relying-party" id="ref-for-relying-party③⓪①">Relying Party</a>, it SHOULD be defined +as taking a Boolean client argument, set to <code>true</code> to signify that the extension is requested by the <a data-link-type="dfn" href="#relying-party" id="ref-for-relying-party③⓪②">Relying Party</a>.</p> <p>Extensions that only affect client processing need not specify <a data-link-type="dfn" href="#authenticator-extension-input" id="ref-for-authenticator-extension-input①⓪">authenticator extension input</a>. Extensions that have authenticator processing MUST specify the method of computing the <a data-link-type="dfn" href="#authenticator-extension-input" id="ref-for-authenticator-extension-input①①">authenticator extension input</a> from the <a data-link-type="dfn" href="#client-extension-input" id="ref-for-client-extension-input①⑤">client extension input</a>, @@ -7313,7 +7316,7 @@ <h3 class="heading settled" data-level="9.3" id="sctn-extension-request-paramete <p class="note" role="note"><span class="marker">Note:</span> Extensions should aim to define authenticator arguments that are as small as possible. Some authenticators communicate over low-bandwidth links such as Bluetooth Low-Energy or NFC.</p> <h3 class="heading settled" data-level="9.4" id="sctn-client-extension-processing"><span class="secno">9.4. </span><span class="content"><dfn class="dfn-paneled" data-dfn-type="dfn" data-noexport id="client-extension-processing">Client Extension Processing</dfn></span><a class="self-link" href="#sctn-client-extension-processing"></a></h3> - <p>Extensions MAY define additional processing requirements on the <a data-link-type="dfn" href="#client" id="ref-for-client①⓪①">client</a> during the creation of credentials or the + <p>Extensions MAY define additional processing requirements on the <a data-link-type="dfn" href="#client" id="ref-for-client①⓪②">client</a> during the creation of credentials or the generation of an assertion. The <a data-link-type="dfn" href="#client-extension-input" id="ref-for-client-extension-input①⑦">client extension input</a> for the extension is used as an input to this client processing. For each supported <a data-link-type="dfn" href="#client-extension" id="ref-for-client-extension⑥">client extension</a>, the client adds an entry to the <var>clientExtensions</var> <a data-link-type="dfn" href="https://infra.spec.whatwg.org/#ordered-map" id="ref-for-ordered-map①②">map</a> with the <a data-link-type="dfn" href="#extension-identifier" id="ref-for-extension-identifier①⑦">extension identifier</a> as the key, and the extension’s <a data-link-type="dfn" href="#client-extension-input" id="ref-for-client-extension-input①⑧">client extension input</a> as the value.</p> <p>Likewise, the <a data-link-type="dfn" href="#client-extension-output" id="ref-for-client-extension-output①⑤">client extension outputs</a> are represented as a dictionary in the result of <code class="idl"><a data-link-type="idl" href="#dom-publickeycredential-getclientextensionresults" id="ref-for-dom-publickeycredential-getclientextensionresults④">getClientExtensionResults()</a></code> with <a data-link-type="dfn" href="#extension-identifier" id="ref-for-extension-identifier①⑧">extension identifiers</a> as keys, and the <dfn class="dfn-paneled" data-dfn-type="dfn" data-noexport id="client-extension-output">client extension output</dfn> value of each extension as the value. @@ -7330,7 +7333,7 @@ <h3 class="heading settled" data-level="9.5" id="sctn-authenticator-extension-pr as a separate map, keyed with the same <a data-link-type="dfn" href="#extension-identifier" id="ref-for-extension-identifier②①">extension identifier</a>. This map only contains entries for authenticator extensions that make use of unsigned outputs. Unsigned outputs are useful when extensions output a signature over the <a data-link-type="dfn" href="#authenticator-data" id="ref-for-authenticator-data⑤②">authenticator data</a> (because otherwise a signature would have to sign over itself, which isn’t possible) or when -some extension outputs should not be sent to the <a data-link-type="dfn" href="#relying-party" id="ref-for-relying-party③⓪②">Relying Party</a>.</p> +some extension outputs should not be sent to the <a data-link-type="dfn" href="#relying-party" id="ref-for-relying-party③⓪③">Relying Party</a>.</p> <p class="note" role="note"><span class="marker">Note:</span> In <a data-link-type="biblio" href="#biblio-fido-ctap" title="Client to Authenticator Protocol (CTAP)">[FIDO-CTAP]</a> <a data-link-type="dfn" href="#unsigned-extension-outputs" id="ref-for-unsigned-extension-outputs④">unsigned extension outputs</a> are returned as a CBOR map in a top-level field named <code>unsignedExtensionOutputs</code> from both <a data-link-type="dfn" href="#authenticatormakecredential" id="ref-for-authenticatormakecredential①⑨">authenticatorMakeCredential</a> and <a data-link-type="dfn" href="#authenticatorgetassertion" id="ref-for-authenticatorgetassertion①⑨">authenticatorGetAssertion</a>.</p> <p>For each supported extension, the <a data-link-type="dfn" href="#authenticator-extension-processing" id="ref-for-authenticator-extension-processing④">authenticator extension processing</a> rule for that extension is used create the <a data-link-type="dfn" href="#authenticator-extension-output" id="ref-for-authenticator-extension-output①⑤">authenticator extension output</a>, and <a data-link-type="dfn" href="#unsigned-extension-outputs" id="ref-for-unsigned-extension-outputs⑤">unsigned extension output</a> if used, from the <a data-link-type="dfn" href="#authenticator-extension-input" id="ref-for-authenticator-extension-input①⑦">authenticator extension input</a> and possibly also other inputs. There MUST NOT be any values returned for ignored extensions.</p> @@ -7343,11 +7346,11 @@ <h3 class="heading settled" data-level="10.1" id="sctn-defined-client-extensions <h4 class="heading settled" data-level="10.1.1" id="sctn-appid-extension"><span class="secno">10.1.1. </span><span class="content">FIDO <dfn class="dfn-paneled" data-dfn-type="dfn" data-noexport id="appid">AppID</dfn> Extension (appid)</span><a class="self-link" href="#sctn-appid-extension"></a></h4> <p>This extension allows <a data-link-type="dfn" href="#webauthn-relying-party" id="ref-for-webauthn-relying-party⑤⑦">WebAuthn Relying Parties</a> that have previously registered a credential using the legacy FIDO U2F JavaScript API <a data-link-type="biblio" href="#biblio-fidou2fjavascriptapi" title="FIDO U2F JavaScript API">[FIDOU2FJavaScriptAPI]</a> to request an <a data-link-type="dfn" href="#assertion" id="ref-for-assertion④">assertion</a>. The -FIDO APIs use an alternative identifier for <a data-link-type="dfn" href="#relying-party" id="ref-for-relying-party③⓪③">Relying Parties</a> called an <var>AppID</var> <a data-link-type="biblio" href="#biblio-fido-appid" title="FIDO AppID and Facet Specification">[FIDO-APPID]</a>, and any credentials created using those APIs will be <a data-link-type="dfn" href="#scope" id="ref-for-scope①⑧">scoped</a> to +FIDO APIs use an alternative identifier for <a data-link-type="dfn" href="#relying-party" id="ref-for-relying-party③⓪④">Relying Parties</a> called an <var>AppID</var> <a data-link-type="biblio" href="#biblio-fido-appid" title="FIDO AppID and Facet Specification">[FIDO-APPID]</a>, and any credentials created using those APIs will be <a data-link-type="dfn" href="#scope" id="ref-for-scope①⑧">scoped</a> to that identifier. Without this extension, they would need to be re-registered in -order to be <a data-link-type="dfn" href="#scope" id="ref-for-scope①⑨">scoped</a> to an <a data-link-type="dfn" href="#rp-id" id="ref-for-rp-id④⑤">RP ID</a>.</p> +order to be <a data-link-type="dfn" href="#scope" id="ref-for-scope①⑨">scoped</a> to an <a data-link-type="dfn" href="#rp-id" id="ref-for-rp-id④⑦">RP ID</a>.</p> <p>In addition to setting the <code class="idl"><a data-link-type="idl" href="#dom-authenticationextensionsclientinputs-appid" id="ref-for-dom-authenticationextensionsclientinputs-appid">appid</a></code> extension input, -using this extension requires some additional processing by the <a data-link-type="dfn" href="#relying-party" id="ref-for-relying-party③⓪④">Relying Party</a> in order to allow users to <a data-link-type="dfn" href="#authentication" id="ref-for-authentication①③">authenticate</a> using their registered U2F credentials:</p> +using this extension requires some additional processing by the <a data-link-type="dfn" href="#relying-party" id="ref-for-relying-party③⓪⑤">Relying Party</a> in order to allow users to <a data-link-type="dfn" href="#authentication" id="ref-for-authentication①③">authenticate</a> using their registered U2F credentials:</p> <ol> <li data-md> <p>List the desired U2F credentials in the <code class="idl"><a data-link-type="idl" href="#dom-publickeycredentialrequestoptions-allowcredentials" id="ref-for-dom-publickeycredentialrequestoptions-allowcredentials②②">allowCredentials</a></code> option @@ -7362,18 +7365,18 @@ <h4 class="heading settled" data-level="10.1.1" id="sctn-appid-extension"><span of both WebAuthn <a data-link-type="dfn" href="#credential-id" id="ref-for-credential-id④③">credential IDs</a> and U2F key handles; stating the <code class="idl"><a data-link-type="idl" href="#dom-authenticationextensionsclientinputs-appid" id="ref-for-dom-authenticationextensionsclientinputs-appid①">appid</a></code> via this extension does not prevent the user from using a WebAuthn-registered credential - scoped to the <a data-link-type="dfn" href="#rp-id" id="ref-for-rp-id④⑥">RP ID</a> stated in <code class="idl"><a data-link-type="idl" href="#dom-publickeycredentialrequestoptions-rpid" id="ref-for-dom-publickeycredentialrequestoptions-rpid⑥">rpId</a></code>.</p> + scoped to the <a data-link-type="dfn" href="#rp-id" id="ref-for-rp-id④⑧">RP ID</a> stated in <code class="idl"><a data-link-type="idl" href="#dom-publickeycredentialrequestoptions-rpid" id="ref-for-dom-publickeycredentialrequestoptions-rpid⑥">rpId</a></code>.</p> <li data-md> - <p>When <a href="#rp-op-verifying-assertion-step-rpid-hash">verifying the assertion</a>, expect that the <code><a data-link-type="dfn" href="#authdata-rpidhash" id="ref-for-authdata-rpidhash④">rpIdHash</a></code> MAY be the hash of the <var>AppID</var> instead of the <a data-link-type="dfn" href="#rp-id" id="ref-for-rp-id④⑦">RP ID</a>.</p> + <p>When <a href="#rp-op-verifying-assertion-step-rpid-hash">verifying the assertion</a>, expect that the <code><a data-link-type="dfn" href="#authdata-rpidhash" id="ref-for-authdata-rpidhash④">rpIdHash</a></code> MAY be the hash of the <var>AppID</var> instead of the <a data-link-type="dfn" href="#rp-id" id="ref-for-rp-id④⑨">RP ID</a>.</p> </ol> <p>This extension does not allow FIDO-compatible credentials to be created. Thus, credentials created with WebAuthn are not backwards compatible with the FIDO JavaScript APIs.</p> <p class="note" role="note"><span class="marker">Note:</span> <code class="idl"><a data-link-type="idl" href="#dom-authenticationextensionsclientinputs-appid" id="ref-for-dom-authenticationextensionsclientinputs-appid②">appid</a></code> should be set to the AppID -that the <a data-link-type="dfn" href="#relying-party" id="ref-for-relying-party③⓪⑤">Relying Party</a> <em>previously</em> used in the legacy FIDO APIs. -This might not be the same as the result of translating the <a data-link-type="dfn" href="#relying-party" id="ref-for-relying-party③⓪⑥">Relying Party</a>'s WebAuthn <a data-link-type="dfn" href="#rp-id" id="ref-for-rp-id④⑧">RP ID</a> to the AppID format, +that the <a data-link-type="dfn" href="#relying-party" id="ref-for-relying-party③⓪⑥">Relying Party</a> <em>previously</em> used in the legacy FIDO APIs. +This might not be the same as the result of translating the <a data-link-type="dfn" href="#relying-party" id="ref-for-relying-party③⓪⑦">Relying Party</a>'s WebAuthn <a data-link-type="dfn" href="#rp-id" id="ref-for-rp-id⑤⓪">RP ID</a> to the AppID format, e.g., the previously used AppID may have been "https://accounts.example.com" -but the currently used <a data-link-type="dfn" href="#rp-id" id="ref-for-rp-id④⑨">RP ID</a> might be "example.com".</p> +but the currently used <a data-link-type="dfn" href="#rp-id" id="ref-for-rp-id⑤①">RP ID</a> might be "example.com".</p> <dl> <dt data-md>Extension identifier <dd data-md> @@ -7409,7 +7412,7 @@ <h4 class="heading settled" data-level="10.1.1" id="sctn-appid-extension"><span <p>Let <var>output</var> be the Boolean value <code>false</code>.</p> <li data-md> <p>When <a href="#assertionCreationDataCreation">creating assertionCreationData</a>, -if the <a data-link-type="dfn" href="#assertion" id="ref-for-assertion⑤">assertion</a> was created by a U2F authenticator with the U2F application parameter set to the SHA-256 hash of <var>appId</var> instead of the SHA-256 hash of the <a data-link-type="dfn" href="#rp-id" id="ref-for-rp-id⑤⓪">RP ID</a>, set <var>output</var> to <code>true</code>.</p> +if the <a data-link-type="dfn" href="#assertion" id="ref-for-assertion⑤">assertion</a> was created by a U2F authenticator with the U2F application parameter set to the SHA-256 hash of <var>appId</var> instead of the SHA-256 hash of the <a data-link-type="dfn" href="#rp-id" id="ref-for-rp-id⑤②">RP ID</a>, set <var>output</var> to <code>true</code>.</p> </ol> </dl> <p class="note" role="note"><span class="marker">Note:</span> In practice, several implementations do not implement steps four and onward of the @@ -7418,7 +7421,7 @@ <h4 class="heading settled" data-level="10.1.1" id="sctn-appid-extension"><span <dl> <dt data-md>Client extension output <dd data-md> - <p>Returns the value of <var>output</var>. If true, the <var>AppID</var> was used and thus, when <a href="#rp-op-verifying-assertion-step-rpid-hash">verifying the assertion</a>, the <a data-link-type="dfn" href="#relying-party" id="ref-for-relying-party③⓪⑦">Relying Party</a> MUST expect the <code><a data-link-type="dfn" href="#authdata-rpidhash" id="ref-for-authdata-rpidhash⑤">rpIdHash</a></code> to be the hash of the <var>AppID</var>, not the <a data-link-type="dfn" href="#rp-id" id="ref-for-rp-id⑤①">RP ID</a>.</p> + <p>Returns the value of <var>output</var>. If true, the <var>AppID</var> was used and thus, when <a href="#rp-op-verifying-assertion-step-rpid-hash">verifying the assertion</a>, the <a data-link-type="dfn" href="#relying-party" id="ref-for-relying-party③⓪⑧">Relying Party</a> MUST expect the <code><a data-link-type="dfn" href="#authdata-rpidhash" id="ref-for-authdata-rpidhash⑤">rpIdHash</a></code> to be the hash of the <var>AppID</var>, not the <a data-link-type="dfn" href="#rp-id" id="ref-for-rp-id⑤③">RP ID</a>.</p> <pre class="idl highlight def"><c- b>partial</c-> <c- b>dictionary</c-> <a class="idl-code" data-link-type="dictionary" href="#dictdef-authenticationextensionsclientoutputs" id="ref-for-dictdef-authenticationextensionsclientoutputs⑤"><c- g>AuthenticationExtensionsClientOutputs</c-></a> { <a class="idl-code" data-link-type="interface" href="https://webidl.spec.whatwg.org/#idl-boolean" id="ref-for-idl-boolean⑦"><c- b>boolean</c-></a> <dfn class="dfn-paneled idl-code" data-dfn-for="AuthenticationExtensionsClientOutputs" data-dfn-type="dict-member" data-export data-type="boolean" id="dom-authenticationextensionsclientoutputs-appid"><code><c- g>appid</c-></code></dfn>; }; @@ -7435,7 +7438,7 @@ <h4 class="heading settled" data-level="10.1.1" id="sctn-appid-extension"><span </dl> <h4 class="heading settled" data-level="10.1.2" id="sctn-appid-exclude-extension"><span class="secno">10.1.2. </span><span class="content">FIDO AppID Exclusion Extension (appidExclude)</span><a class="self-link" href="#sctn-appid-exclude-extension"></a></h4> <p>This registration extension allows <a data-link-type="dfn" href="#webauthn-relying-party" id="ref-for-webauthn-relying-party⑤⑧">WebAuthn Relying Parties</a> to exclude authenticators that contain specified credentials that were created with the legacy FIDO U2F JavaScript API <a data-link-type="biblio" href="#biblio-fidou2fjavascriptapi" title="FIDO U2F JavaScript API">[FIDOU2FJavaScriptAPI]</a>.</p> - <p>During a transition from the FIDO U2F JavaScript API, a <a data-link-type="dfn" href="#relying-party" id="ref-for-relying-party③⓪⑧">Relying Party</a> may have a population of users with legacy credentials already registered. The <a href="#sctn-appid-extension">appid</a> extension allows the sign-in flow to be transitioned smoothly but, when transitioning the registration flow, the <a href="#dom-publickeycredentialcreationoptions-excludecredentials" id="ref-for-dom-publickeycredentialcreationoptions-excludecredentials⑥">excludeCredentials</a> field will not be effective in excluding authenticators with legacy credentials because its contents are taken to be WebAuthn credentials. This extension directs <a data-link-type="dfn" href="#client-platform" id="ref-for-client-platform⑤③">client platforms</a> to consider the contents of <a href="#dom-publickeycredentialcreationoptions-excludecredentials" id="ref-for-dom-publickeycredentialcreationoptions-excludecredentials⑦">excludeCredentials</a> as both WebAuthn and legacy FIDO credentials. Note that U2F key handles commonly use <a data-link-type="dfn" href="#base64url-encoding" id="ref-for-base64url-encoding②③">base64url encoding</a> but must be decoded to their binary form when used in <a href="#dom-publickeycredentialcreationoptions-excludecredentials" id="ref-for-dom-publickeycredentialcreationoptions-excludecredentials⑧">excludeCredentials</a>.</p> + <p>During a transition from the FIDO U2F JavaScript API, a <a data-link-type="dfn" href="#relying-party" id="ref-for-relying-party③⓪⑨">Relying Party</a> may have a population of users with legacy credentials already registered. The <a href="#sctn-appid-extension">appid</a> extension allows the sign-in flow to be transitioned smoothly but, when transitioning the registration flow, the <a href="#dom-publickeycredentialcreationoptions-excludecredentials" id="ref-for-dom-publickeycredentialcreationoptions-excludecredentials⑥">excludeCredentials</a> field will not be effective in excluding authenticators with legacy credentials because its contents are taken to be WebAuthn credentials. This extension directs <a data-link-type="dfn" href="#client-platform" id="ref-for-client-platform⑤③">client platforms</a> to consider the contents of <a href="#dom-publickeycredentialcreationoptions-excludecredentials" id="ref-for-dom-publickeycredentialcreationoptions-excludecredentials⑦">excludeCredentials</a> as both WebAuthn and legacy FIDO credentials. Note that U2F key handles commonly use <a data-link-type="dfn" href="#base64url-encoding" id="ref-for-base64url-encoding②③">base64url encoding</a> but must be decoded to their binary form when used in <a href="#dom-publickeycredentialcreationoptions-excludecredentials" id="ref-for-dom-publickeycredentialcreationoptions-excludecredentials⑧">excludeCredentials</a>.</p> <dl> <dt data-md>Extension identifier <dd data-md> @@ -7510,7 +7513,7 @@ <h4 class="heading settled" data-level="10.1.2" id="sctn-appid-exclude-extension </ol> <dt data-md>Client extension output <dd data-md> - <p>Returns the value <code>true</code> to indicate to the <a data-link-type="dfn" href="#relying-party" id="ref-for-relying-party③⓪⑨">Relying Party</a> that the extension was acted upon.</p> + <p>Returns the value <code>true</code> to indicate to the <a data-link-type="dfn" href="#relying-party" id="ref-for-relying-party③①⓪">Relying Party</a> that the extension was acted upon.</p> <pre class="idl highlight def"><c- b>partial</c-> <c- b>dictionary</c-> <a class="idl-code" data-link-type="dictionary" href="#dictdef-authenticationextensionsclientoutputs" id="ref-for-dictdef-authenticationextensionsclientoutputs⑥"><c- g>AuthenticationExtensionsClientOutputs</c-></a> { <a class="idl-code" data-link-type="interface" href="https://webidl.spec.whatwg.org/#idl-boolean" id="ref-for-idl-boolean⑧"><c- b>boolean</c-></a> <dfn class="dfn-paneled idl-code" data-dfn-for="AuthenticationExtensionsClientOutputs" data-dfn-type="dict-member" data-export data-type="boolean" id="dom-authenticationextensionsclientoutputs-appidexclude"><code><c- g>appidExclude</c-></code></dfn>; }; @@ -7526,7 +7529,7 @@ <h4 class="heading settled" data-level="10.1.2" id="sctn-appid-exclude-extension <p>None.</p> </dl> <h4 class="heading settled" data-level="10.1.3" id="sctn-authenticator-credential-properties-extension"><span class="secno">10.1.3. </span><span class="content">Credential Properties Extension (<dfn class="dfn-paneled" data-dfn-type="dfn" data-noexport id="credprops">credProps</dfn>)</span><a class="self-link" href="#sctn-authenticator-credential-properties-extension"></a></h4> - <p>This <a data-link-type="dfn" href="#client-extension" id="ref-for-client-extension⑧">client</a> <a data-link-type="dfn" href="#registration-extension" id="ref-for-registration-extension⑨">registration extension</a> and <a data-link-type="dfn" href="#authentication-extension" id="ref-for-authentication-extension⑨">authentication extension</a> facilitates reporting certain <a data-link-type="dfn" href="#credential-properties" id="ref-for-credential-properties③">credential properties</a> known by the <a data-link-type="dfn" href="#client" id="ref-for-client①⓪②">client</a> to the requesting <a data-link-type="dfn" href="#webauthn-relying-party" id="ref-for-webauthn-relying-party⑤⑨">WebAuthn Relying Party</a> upon creation or use of a <a data-link-type="dfn" href="#public-key-credential-source" id="ref-for-public-key-credential-source⑥⑧">public key credential source</a>.</p> + <p>This <a data-link-type="dfn" href="#client-extension" id="ref-for-client-extension⑧">client</a> <a data-link-type="dfn" href="#registration-extension" id="ref-for-registration-extension⑨">registration extension</a> and <a data-link-type="dfn" href="#authentication-extension" id="ref-for-authentication-extension⑨">authentication extension</a> facilitates reporting certain <a data-link-type="dfn" href="#credential-properties" id="ref-for-credential-properties③">credential properties</a> known by the <a data-link-type="dfn" href="#client" id="ref-for-client①⓪③">client</a> to the requesting <a data-link-type="dfn" href="#webauthn-relying-party" id="ref-for-webauthn-relying-party⑤⑨">WebAuthn Relying Party</a> upon creation or use of a <a data-link-type="dfn" href="#public-key-credential-source" id="ref-for-public-key-credential-source⑥⑧">public key credential source</a>.</p> <dl> <dt data-md>Extension identifier <dd data-md> @@ -7536,7 +7539,7 @@ <h4 class="heading settled" data-level="10.1.3" id="sctn-authenticator-credentia <p><a data-link-type="dfn" href="#registration-extension" id="ref-for-registration-extension①⓪">Registration</a> and <a data-link-type="dfn" href="#authentication-extension" id="ref-for-authentication-extension①⓪">authentication</a></p> <dt data-md>Client extension input <dd data-md> - <p>The Boolean value <code>true</code> to indicate that this extension is requested by the <a data-link-type="dfn" href="#relying-party" id="ref-for-relying-party③①⓪">Relying Party</a>.</p> + <p>The Boolean value <code>true</code> to indicate that this extension is requested by the <a data-link-type="dfn" href="#relying-party" id="ref-for-relying-party③①①">Relying Party</a>.</p> <pre class="idl highlight def"><c- b>partial</c-> <c- b>dictionary</c-> <a class="idl-code" data-link-type="dictionary" href="#dictdef-authenticationextensionsclientinputs" id="ref-for-dictdef-authenticationextensionsclientinputs⑧"><c- g>AuthenticationExtensionsClientInputs</c-></a> { <a class="idl-code" data-link-type="interface" href="https://webidl.spec.whatwg.org/#idl-boolean" id="ref-for-idl-boolean⑨"><c- b>boolean</c-></a> <dfn class="dfn-paneled idl-code" data-dfn-for="AuthenticationExtensionsClientInputs" data-dfn-type="dict-member" data-export data-type="boolean" id="dom-authenticationextensionsclientinputs-credprops"><code><c- g>credProps</c-></code></dfn>; }; @@ -7574,25 +7577,25 @@ <h4 class="heading settled" data-level="10.1.3" id="sctn-authenticator-credentia If <code class="idl"><a data-link-type="idl" href="#dom-credentialpropertiesoutput-rk" id="ref-for-dom-credentialpropertiesoutput-rk③">rk</a></code> is <code>true</code>, the credential is a <a data-link-type="dfn" href="#discoverable-credential" id="ref-for-discoverable-credential①⑥">discoverable credential</a>. If <code class="idl"><a data-link-type="idl" href="#dom-credentialpropertiesoutput-rk" id="ref-for-dom-credentialpropertiesoutput-rk④">rk</a></code> is <code>false</code>, the credential is a <a data-link-type="dfn" href="#server-side-credential" id="ref-for-server-side-credential①②">server-side credential</a>. If <code class="idl"><a data-link-type="idl" href="#dom-credentialpropertiesoutput-rk" id="ref-for-dom-credentialpropertiesoutput-rk⑤">rk</a></code> is not present, it is not known whether the credential is a <a data-link-type="dfn" href="#discoverable-credential" id="ref-for-discoverable-credential①⑦">discoverable credential</a> or a <a data-link-type="dfn" href="#server-side-credential" id="ref-for-server-side-credential①③">server-side credential</a>.</p> - <p class="note" role="note"><span class="marker">Note:</span> some <a data-link-type="dfn" href="#authenticator" id="ref-for-authenticator②⑤⑥">authenticators</a> create <a data-link-type="dfn" href="#discoverable-credential" id="ref-for-discoverable-credential①⑧">discoverable credentials</a> even when not requested by the <a data-link-type="dfn" href="#client-platform" id="ref-for-client-platform⑤④">client platform</a>. Because of this, <a data-link-type="dfn" href="#client-platform" id="ref-for-client-platform⑤⑤">client platforms</a> may be forced to omit the <code class="idl"><a data-link-type="idl" href="#dom-credentialpropertiesoutput-rk" id="ref-for-dom-credentialpropertiesoutput-rk⑥">rk</a></code> property because they lack the assurance to be able to set it to <code>false</code>. <a data-link-type="dfn" href="#relying-party" id="ref-for-relying-party③①①">Relying Parties</a> should assume that, if the <code>credProps</code> extension is supported, then <a data-link-type="dfn" href="#client-platform" id="ref-for-client-platform⑤⑥">client platforms</a> will endeavour to populate the <code class="idl"><a data-link-type="idl" href="#dom-credentialpropertiesoutput-rk" id="ref-for-dom-credentialpropertiesoutput-rk⑦">rk</a></code> property. Therefore a missing <code class="idl"><a data-link-type="idl" href="#dom-credentialpropertiesoutput-rk" id="ref-for-dom-credentialpropertiesoutput-rk⑧">rk</a></code> indicates that the created credential is most likely a <a data-link-type="dfn" href="#non-discoverable-credential" id="ref-for-non-discoverable-credential④">non-discoverable credential</a>.</p> + <p class="note" role="note"><span class="marker">Note:</span> some <a data-link-type="dfn" href="#authenticator" id="ref-for-authenticator②⑤⑥">authenticators</a> create <a data-link-type="dfn" href="#discoverable-credential" id="ref-for-discoverable-credential①⑧">discoverable credentials</a> even when not requested by the <a data-link-type="dfn" href="#client-platform" id="ref-for-client-platform⑤④">client platform</a>. Because of this, <a data-link-type="dfn" href="#client-platform" id="ref-for-client-platform⑤⑤">client platforms</a> may be forced to omit the <code class="idl"><a data-link-type="idl" href="#dom-credentialpropertiesoutput-rk" id="ref-for-dom-credentialpropertiesoutput-rk⑥">rk</a></code> property because they lack the assurance to be able to set it to <code>false</code>. <a data-link-type="dfn" href="#relying-party" id="ref-for-relying-party③①②">Relying Parties</a> should assume that, if the <code>credProps</code> extension is supported, then <a data-link-type="dfn" href="#client-platform" id="ref-for-client-platform⑤⑥">client platforms</a> will endeavour to populate the <code class="idl"><a data-link-type="idl" href="#dom-credentialpropertiesoutput-rk" id="ref-for-dom-credentialpropertiesoutput-rk⑦">rk</a></code> property. Therefore a missing <code class="idl"><a data-link-type="idl" href="#dom-credentialpropertiesoutput-rk" id="ref-for-dom-credentialpropertiesoutput-rk⑧">rk</a></code> indicates that the created credential is most likely a <a data-link-type="dfn" href="#non-discoverable-credential" id="ref-for-non-discoverable-credential④">non-discoverable credential</a>.</p> <dt data-md><dfn class="dfn-paneled idl-code" data-dfn-for="CredentialPropertiesOutput" data-dfn-type="dict-member" data-export id="dom-credentialpropertiesoutput-authenticatordisplayname"><code>authenticatorDisplayName</code></dfn>, <span> of type <a data-link-type="idl-name" href="https://webidl.spec.whatwg.org/#idl-DOMString" id="ref-for-idl-DOMString⑦⑧">DOMString</a></span> <dd data-md> <p>This OPTIONAL property is a <a data-link-type="dfn" href="#human-palatability" id="ref-for-human-palatability⑦">human-palatable</a> description of the credential’s <a data-link-type="dfn" href="#public-key-credential-source-managing-authenticator" id="ref-for-public-key-credential-source-managing-authenticator①②">managing authenticator</a>, chosen by the user.</p> - <p>The <a data-link-type="dfn" href="#client" id="ref-for-client①⓪③">client</a> MUST allow the user to choose this value. + <p>The <a data-link-type="dfn" href="#client" id="ref-for-client①⓪④">client</a> MUST allow the user to choose this value. That choice MAY be presented during the <a data-link-type="dfn" href="#registration-ceremony" id="ref-for-registration-ceremony①⑧">registration</a> or <a data-link-type="dfn" href="#authentication-ceremony" id="ref-for-authentication-ceremony③⑧">authentication</a> ceremony or MAY be made available outside -the ceremony, for example in client settings. The <a data-link-type="dfn" href="#client" id="ref-for-client①⓪④">client</a> MAY reuse the same value -for multiple credentials with the same <a data-link-type="dfn" href="#public-key-credential-source-managing-authenticator" id="ref-for-public-key-credential-source-managing-authenticator①③">managing authenticator</a> across multiple <a data-link-type="dfn" href="#relying-party" id="ref-for-relying-party③①②">Relying Parties</a>.</p> - <p>The <a data-link-type="dfn" href="#client" id="ref-for-client①⓪⑤">client</a> MAY query the <a data-link-type="dfn" href="#authenticator" id="ref-for-authenticator②⑤⑦">authenticator</a>, by some unspecified mechanism, for this +the ceremony, for example in client settings. The <a data-link-type="dfn" href="#client" id="ref-for-client①⓪⑤">client</a> MAY reuse the same value +for multiple credentials with the same <a data-link-type="dfn" href="#public-key-credential-source-managing-authenticator" id="ref-for-public-key-credential-source-managing-authenticator①③">managing authenticator</a> across multiple <a data-link-type="dfn" href="#relying-party" id="ref-for-relying-party③①③">Relying Parties</a>.</p> + <p>The <a data-link-type="dfn" href="#client" id="ref-for-client①⓪⑥">client</a> MAY query the <a data-link-type="dfn" href="#authenticator" id="ref-for-authenticator②⑤⑦">authenticator</a>, by some unspecified mechanism, for this value. The <a data-link-type="dfn" href="#authenticator" id="ref-for-authenticator②⑤⑧">authenticator</a> MAY allow the user to configure the response to such a query. The <a data-link-type="dfn" href="#authenticator" id="ref-for-authenticator②⑤⑨">authenticator</a> vendor MAY provide a default response to such a query. -The <a data-link-type="dfn" href="#client" id="ref-for-client①⓪⑥">client</a> MAY consider a user-configured response chosen by the user, +The <a data-link-type="dfn" href="#client" id="ref-for-client①⓪⑦">client</a> MAY consider a user-configured response chosen by the user, and SHOULD allow the user to modify a vendor-provided default response.</p> - <p>If the <a data-link-type="dfn" href="#relying-party" id="ref-for-relying-party③①③">Relying Party</a> includes an <code><a data-link-type="abstract-op" href="#abstract-opdef-credential-record-authenticatordisplayname" id="ref-for-abstract-opdef-credential-record-authenticatordisplayname">authenticatorDisplayName</a></code> <a data-link-type="dfn" href="https://infra.spec.whatwg.org/#struct-item" id="ref-for-struct-item①②">item</a> in its <a data-link-type="dfn" href="#credential-record" id="ref-for-credential-record①⑧">credential records</a>, -the <a data-link-type="dfn" href="#relying-party" id="ref-for-relying-party③①④">Relying Party</a> MAY offer this <code class="idl"><a data-link-type="idl" href="#dom-credentialpropertiesoutput-authenticatordisplayname" id="ref-for-dom-credentialpropertiesoutput-authenticatordisplayname④">authenticatorDisplayName</a></code> extension output, + <p>If the <a data-link-type="dfn" href="#relying-party" id="ref-for-relying-party③①④">Relying Party</a> includes an <code><a data-link-type="abstract-op" href="#abstract-opdef-credential-record-authenticatordisplayname" id="ref-for-abstract-opdef-credential-record-authenticatordisplayname">authenticatorDisplayName</a></code> <a data-link-type="dfn" href="https://infra.spec.whatwg.org/#struct-item" id="ref-for-struct-item①②">item</a> in its <a data-link-type="dfn" href="#credential-record" id="ref-for-credential-record①⑧">credential records</a>, +the <a data-link-type="dfn" href="#relying-party" id="ref-for-relying-party③①⑤">Relying Party</a> MAY offer this <code class="idl"><a data-link-type="idl" href="#dom-credentialpropertiesoutput-authenticatordisplayname" id="ref-for-dom-credentialpropertiesoutput-authenticatordisplayname④">authenticatorDisplayName</a></code> extension output, if present, as a default value for the <code><a data-link-type="abstract-op" href="#abstract-opdef-credential-record-authenticatordisplayname" id="ref-for-abstract-opdef-credential-record-authenticatordisplayname①">authenticatorDisplayName</a></code> of the new <a data-link-type="dfn" href="#credential-record" id="ref-for-credential-record①⑨">credential record</a> it stores after a <a data-link-type="dfn" href="#registration-ceremony" id="ref-for-registration-ceremony①⑨">registration ceremony</a>.</p> <p>If the <code class="idl"><a data-link-type="idl" href="#dom-credentialpropertiesoutput-authenticatordisplayname" id="ref-for-dom-credentialpropertiesoutput-authenticatordisplayname⑤">authenticatorDisplayName</a></code> extension output from an <a data-link-type="dfn" href="#authentication-ceremony" id="ref-for-authentication-ceremony③⑨">authentication ceremony</a> is different from the <code><a data-link-type="abstract-op" href="#abstract-opdef-credential-record-authenticatordisplayname" id="ref-for-abstract-opdef-credential-record-authenticatordisplayname②">authenticatorDisplayName</a></code> of the <a data-link-type="dfn" href="#credential-record" id="ref-for-credential-record②⓪">credential record</a>, -the <a data-link-type="dfn" href="#relying-party" id="ref-for-relying-party③①⑤">Relying Party</a> MAY offer the user to update the <code><a data-link-type="abstract-op" href="#abstract-opdef-credential-record-authenticatordisplayname" id="ref-for-abstract-opdef-credential-record-authenticatordisplayname③">authenticatorDisplayName</a></code> of the <a data-link-type="dfn" href="#credential-record" id="ref-for-credential-record②①">credential record</a>.</p> +the <a data-link-type="dfn" href="#relying-party" id="ref-for-relying-party③①⑥">Relying Party</a> MAY offer the user to update the <code><a data-link-type="abstract-op" href="#abstract-opdef-credential-record-authenticatordisplayname" id="ref-for-abstract-opdef-credential-record-authenticatordisplayname③">authenticatorDisplayName</a></code> of the <a data-link-type="dfn" href="#credential-record" id="ref-for-credential-record②①">credential record</a>.</p> </dl> </div> <dt data-md>Authenticator extension input @@ -7606,11 +7609,11 @@ <h4 class="heading settled" data-level="10.1.3" id="sctn-authenticator-credentia <p>None.</p> </dl> <h4 class="heading settled" data-level="10.1.4" id="prf-extension"><span class="secno">10.1.4. </span><span class="content">Pseudo-random function extension (<dfn class="dfn-paneled" data-dfn-type="dfn" data-noexport id="prf">prf</dfn>)</span><a class="self-link" href="#prf-extension"></a></h4> - <p>This <a data-link-type="dfn" href="#client-extension" id="ref-for-client-extension⑨">client</a> <a data-link-type="dfn" href="#registration-extension" id="ref-for-registration-extension①①">registration extension</a> and <a data-link-type="dfn" href="#authentication-extension" id="ref-for-authentication-extension①①">authentication extension</a> allows a <a data-link-type="dfn" href="#relying-party" id="ref-for-relying-party③①⑥">Relying Party</a> to evaluate outputs from a pseudo-random function (PRF) associated with a <a data-link-type="dfn" href="https://w3c.github.io/webappsec-credential-management/#concept-credential" id="ref-for-concept-credential②④">credential</a>. The PRFs provided by this extension map from <code class="idl"><a data-link-type="idl" href="https://webidl.spec.whatwg.org/#BufferSource" id="ref-for-BufferSource①⓪">BufferSource</a></code>s of any length to 32-byte <code class="idl"><a data-link-type="idl" href="https://webidl.spec.whatwg.org/#BufferSource" id="ref-for-BufferSource①①">BufferSource</a></code>s.</p> + <p>This <a data-link-type="dfn" href="#client-extension" id="ref-for-client-extension⑨">client</a> <a data-link-type="dfn" href="#registration-extension" id="ref-for-registration-extension①①">registration extension</a> and <a data-link-type="dfn" href="#authentication-extension" id="ref-for-authentication-extension①①">authentication extension</a> allows a <a data-link-type="dfn" href="#relying-party" id="ref-for-relying-party③①⑦">Relying Party</a> to evaluate outputs from a pseudo-random function (PRF) associated with a <a data-link-type="dfn" href="https://w3c.github.io/webappsec-credential-management/#concept-credential" id="ref-for-concept-credential②④">credential</a>. The PRFs provided by this extension map from <code class="idl"><a data-link-type="idl" href="https://webidl.spec.whatwg.org/#BufferSource" id="ref-for-BufferSource①⓪">BufferSource</a></code>s of any length to 32-byte <code class="idl"><a data-link-type="idl" href="https://webidl.spec.whatwg.org/#BufferSource" id="ref-for-BufferSource①①">BufferSource</a></code>s.</p> <p>As a motivating example, PRF outputs could be used as symmetric keys to encrypt user data. Such encrypted data would be inaccessible without the ability to get assertions from the associated <a data-link-type="dfn" href="https://w3c.github.io/webappsec-credential-management/#concept-credential" id="ref-for-concept-credential②⑤">credential</a>. By using the provision below to evaluate the PRF at two inputs in a single <a data-link-type="dfn" href="#assertion" id="ref-for-assertion⑥">assertion</a> operation, the encryption key could be periodically rotated during <a data-link-type="dfn" href="#assertion" id="ref-for-assertion⑦">assertions</a> by choosing a fresh, random input and reencrypting under the new output. If the evaluation inputs are unpredictable then even an attacker who could satisfy <a data-link-type="dfn" href="#user-verification" id="ref-for-user-verification⑤①">user verification</a>, and who had time-limited access to the authenticator, could not learn the encryption key without also knowing the correct PRF input.</p> <p>This extension is implemented on top of the <a data-link-type="biblio" href="#biblio-fido-ctap" title="Client to Authenticator Protocol (CTAP)">[FIDO-CTAP]</a> <code>hmac-secret</code> extension. It is a separate <a data-link-type="dfn" href="#client-extension" id="ref-for-client-extension①⓪">client extension</a> because <code>hmac-secret</code> requires that inputs and outputs be encrypted in a manner that only the user agent can perform, and to provide separation between uses by WebAuthn and any uses by the underlying platform. This separation is achieved by hashing the provided PRF inputs with a context string to prevent evaluation of the PRFs for arbitrary inputs.</p> <p>The <code>hmac-secret</code> extension provides two PRFs per credential: one which is used for requests where <a data-link-type="dfn" href="#user-verification" id="ref-for-user-verification⑤②">user verification</a> is performed and another for all other requests. This extension only exposes a single PRF per credential and, when implementing on top of <code>hmac-secret</code>, that PRF MUST be the one used for when <a data-link-type="dfn" href="#user-verification" id="ref-for-user-verification⑤③">user verification</a> is performed. This overrides the <code class="idl"><a data-link-type="idl" href="#enumdef-userverificationrequirement" id="ref-for-enumdef-userverificationrequirement⑥">UserVerificationRequirement</a></code> if neccessary.</p> - <p class="note" role="note"><span class="marker">Note:</span> this extension may be implemented for <a data-link-type="dfn" href="#authenticator" id="ref-for-authenticator②⑥⓪">authenticators</a> that do not use <a data-link-type="biblio" href="#biblio-fido-ctap" title="Client to Authenticator Protocol (CTAP)">[FIDO-CTAP]</a> so long as the behavior observed by a <a data-link-type="dfn" href="#relying-party" id="ref-for-relying-party③①⑦">Relying Party</a> is identical.</p> + <p class="note" role="note"><span class="marker">Note:</span> this extension may be implemented for <a data-link-type="dfn" href="#authenticator" id="ref-for-authenticator②⑥⓪">authenticators</a> that do not use <a data-link-type="biblio" href="#biblio-fido-ctap" title="Client to Authenticator Protocol (CTAP)">[FIDO-CTAP]</a> so long as the behavior observed by a <a data-link-type="dfn" href="#relying-party" id="ref-for-relying-party③①⑧">Relying Party</a> is identical.</p> <dl> <dt data-md>Extension identifier <dd data-md> @@ -7696,7 +7699,7 @@ <h4 class="heading settled" data-level="10.1.4" id="prf-extension"><span class=" </ol> <dt data-md>Authenticator extension input / processing / output <dd data-md> - <p><a data-link-type="dfn" href="#prf" id="ref-for-prf">This extension</a> uses the <a data-link-type="biblio" href="#biblio-fido-ctap" title="Client to Authenticator Protocol (CTAP)">[FIDO-CTAP]</a> <code>hmac-secret</code> extension when communicating with the authenticator. It thus does not specify any direct authenticator interaction for <a data-link-type="dfn" href="#relying-party" id="ref-for-relying-party③①⑧">Relying Parties</a>.</p> + <p><a data-link-type="dfn" href="#prf" id="ref-for-prf">This extension</a> uses the <a data-link-type="biblio" href="#biblio-fido-ctap" title="Client to Authenticator Protocol (CTAP)">[FIDO-CTAP]</a> <code>hmac-secret</code> extension when communicating with the authenticator. It thus does not specify any direct authenticator interaction for <a data-link-type="dfn" href="#relying-party" id="ref-for-relying-party③①⑨">Relying Parties</a>.</p> <dt data-md>Client extension output <dd data-md> <pre class="idl highlight def"><c- b>dictionary</c-> <dfn class="dfn-paneled idl-code" data-dfn-type="dictionary" data-export id="dictdef-authenticationextensionsprfoutputs"><code><c- g>AuthenticationExtensionsPRFOutputs</c-></code></dfn> { @@ -7720,9 +7723,9 @@ <h4 class="heading settled" data-level="10.1.4" id="prf-extension"><span class=" </div> </dl> <h4 class="heading settled" data-level="10.1.5" id="sctn-large-blob-extension"><span class="secno">10.1.5. </span><span class="content">Large blob storage extension (<dfn class="dfn-paneled" data-dfn-type="dfn" data-noexport id="largeblob">largeBlob</dfn>)</span><a class="self-link" href="#sctn-large-blob-extension"></a></h4> - <p>This <a data-link-type="dfn" href="#client-extension" id="ref-for-client-extension①①">client</a> <a data-link-type="dfn" href="#registration-extension" id="ref-for-registration-extension①④">registration extension</a> and <a data-link-type="dfn" href="#authentication-extension" id="ref-for-authentication-extension①④">authentication extension</a> allows a <a data-link-type="dfn" href="#relying-party" id="ref-for-relying-party③①⑨">Relying Party</a> to store opaque data associated with a credential. Since <a data-link-type="dfn" href="#authenticator" id="ref-for-authenticator②⑥③">authenticators</a> can only store small amounts of data, and most <a data-link-type="dfn" href="#relying-party" id="ref-for-relying-party③②⓪">Relying Parties</a> are online services that can store arbitrary amounts of state for a user, this is only useful in specific cases. For example, the <a data-link-type="dfn" href="#relying-party" id="ref-for-relying-party③②①">Relying Party</a> might wish to issue certificates rather than run a centralised authentication service.</p> - <p class="note" role="note"><span class="marker">Note:</span> <a data-link-type="dfn" href="#relying-party" id="ref-for-relying-party③②②">Relying Parties</a> can assume that the opaque data will be compressed when being written to a space-limited device and so need not compress it themselves.</p> - <p>Since a certificate system needs to sign over the public key of the credential, and that public key is only available after creation, this extension does not add an ability to write blobs in the <a data-link-type="dfn" href="#registration-extension" id="ref-for-registration-extension①⑤">registration</a> context. However, <a data-link-type="dfn" href="#relying-party" id="ref-for-relying-party③②③">Relying Parties</a> SHOULD use the <a data-link-type="dfn" href="#registration-extension" id="ref-for-registration-extension①⑥">registration extension</a> when creating the credential if they wish to later use the <a data-link-type="dfn" href="#authentication-extension" id="ref-for-authentication-extension①⑤">authentication extension</a>.</p> + <p>This <a data-link-type="dfn" href="#client-extension" id="ref-for-client-extension①①">client</a> <a data-link-type="dfn" href="#registration-extension" id="ref-for-registration-extension①④">registration extension</a> and <a data-link-type="dfn" href="#authentication-extension" id="ref-for-authentication-extension①④">authentication extension</a> allows a <a data-link-type="dfn" href="#relying-party" id="ref-for-relying-party③②⓪">Relying Party</a> to store opaque data associated with a credential. Since <a data-link-type="dfn" href="#authenticator" id="ref-for-authenticator②⑥③">authenticators</a> can only store small amounts of data, and most <a data-link-type="dfn" href="#relying-party" id="ref-for-relying-party③②①">Relying Parties</a> are online services that can store arbitrary amounts of state for a user, this is only useful in specific cases. For example, the <a data-link-type="dfn" href="#relying-party" id="ref-for-relying-party③②②">Relying Party</a> might wish to issue certificates rather than run a centralised authentication service.</p> + <p class="note" role="note"><span class="marker">Note:</span> <a data-link-type="dfn" href="#relying-party" id="ref-for-relying-party③②③">Relying Parties</a> can assume that the opaque data will be compressed when being written to a space-limited device and so need not compress it themselves.</p> + <p>Since a certificate system needs to sign over the public key of the credential, and that public key is only available after creation, this extension does not add an ability to write blobs in the <a data-link-type="dfn" href="#registration-extension" id="ref-for-registration-extension①⑤">registration</a> context. However, <a data-link-type="dfn" href="#relying-party" id="ref-for-relying-party③②④">Relying Parties</a> SHOULD use the <a data-link-type="dfn" href="#registration-extension" id="ref-for-registration-extension①⑥">registration extension</a> when creating the credential if they wish to later use the <a data-link-type="dfn" href="#authentication-extension" id="ref-for-authentication-extension①⑤">authentication extension</a>.</p> <p>Since certificates are sizable relative to the storage capabilities of typical authenticators, user agents SHOULD consider what indications and confirmations are suitable to best guide the user in allocating this limited resource and prevent abuse.</p> <p class="note" role="note"><span class="marker">Note:</span> In order to interoperate, user agents storing large blobs on authenticators using <a data-link-type="biblio" href="#biblio-fido-ctap" title="Client to Authenticator Protocol (CTAP)">[FIDO-CTAP]</a> are expected to use the provisions detailed in that specification for storing <a data-link-type="dfn" href="https://fidoalliance.org/specs/fido-v2.1-ps-20210615/fido-client-to-authenticator-protocol-v2.1-ps-errata-20220621.html#authenticatorLargeBlobs" id="ref-for-authenticatorLargeBlobs">large, per-credential blobs</a>.</p> <p class="note" role="note"><span class="marker">Note:</span> <a data-link-type="dfn" href="#roaming-authenticators" id="ref-for-roaming-authenticators②③">Roaming authenticators</a> that use <a data-link-type="biblio" href="#biblio-fido-ctap" title="Client to Authenticator Protocol (CTAP)">[FIDO-CTAP]</a> as their cross-platform transport protocol only support this <a data-link-type="dfn" href="#largeblob" id="ref-for-largeblob">Large Blob</a> extension for <a data-link-type="dfn" href="#discoverable-credential" id="ref-for-discoverable-credential①⑨">discoverable credentials</a>, @@ -7759,10 +7762,10 @@ <h4 class="heading settled" data-level="10.1.5" id="sctn-large-blob-extension">< <p>A DOMString that takes one of the values of <code class="idl"><a data-link-type="idl" href="#enumdef-largeblobsupport" id="ref-for-enumdef-largeblobsupport">LargeBlobSupport</a></code>. (See <a href="#sct-domstring-backwards-compatibility">§ 2.1.1 Enumerations as DOMString types</a>.) Only valid during <a data-link-type="dfn" href="#registration-extension" id="ref-for-registration-extension①⑧">registration</a>.</p> <dt data-md><dfn class="dfn-paneled idl-code" data-dfn-for="AuthenticationExtensionsLargeBlobInputs" data-dfn-type="dict-member" data-export id="dom-authenticationextensionslargeblobinputs-read"><code>read</code></dfn>, <span> of type <a data-link-type="idl-name" href="https://webidl.spec.whatwg.org/#idl-boolean" id="ref-for-idl-boolean①⑤">boolean</a></span> <dd data-md> - <p>A boolean that indicates that the <a data-link-type="dfn" href="#relying-party" id="ref-for-relying-party③②④">Relying Party</a> would like to fetch the previously-written blob associated with the asserted credential. Only valid during <a data-link-type="dfn" href="#authentication-extension" id="ref-for-authentication-extension①⑦">authentication</a>.</p> + <p>A boolean that indicates that the <a data-link-type="dfn" href="#relying-party" id="ref-for-relying-party③②⑤">Relying Party</a> would like to fetch the previously-written blob associated with the asserted credential. Only valid during <a data-link-type="dfn" href="#authentication-extension" id="ref-for-authentication-extension①⑦">authentication</a>.</p> <dt data-md><dfn class="dfn-paneled idl-code" data-dfn-for="AuthenticationExtensionsLargeBlobInputs" data-dfn-type="dict-member" data-export id="dom-authenticationextensionslargeblobinputs-write"><code>write</code></dfn>, <span> of type <a data-link-type="idl-name" href="https://webidl.spec.whatwg.org/#BufferSource" id="ref-for-BufferSource①⑤">BufferSource</a></span> <dd data-md> - <p>An opaque byte string that the <a data-link-type="dfn" href="#relying-party" id="ref-for-relying-party③②⑤">Relying Party</a> wishes to store with the existing credential. Only valid during <a data-link-type="dfn" href="#authentication-extension" id="ref-for-authentication-extension①⑧">authentication</a>.</p> + <p>An opaque byte string that the <a data-link-type="dfn" href="#relying-party" id="ref-for-relying-party③②⑥">Relying Party</a> wishes to store with the existing credential. Only valid during <a data-link-type="dfn" href="#authentication-extension" id="ref-for-authentication-extension①⑧">authentication</a>.</p> </dl> </div> <dt data-md>Client extension processing (<a data-link-type="dfn" href="#registration-extension" id="ref-for-registration-extension①⑨">registration</a>) @@ -7862,7 +7865,7 @@ <h4 class="heading settled" data-level="10.1.5" id="sctn-large-blob-extension">< </div> <dt data-md>Authenticator extension processing <dd data-md> - <p><a data-link-type="dfn" href="#largeblob" id="ref-for-largeblob①">This extension</a> directs the user-agent to cause the large blob to be stored on, or retrieved from, the authenticator. It thus does not specify any direct authenticator interaction for <a data-link-type="dfn" href="#relying-party" id="ref-for-relying-party③②⑥">Relying Parties</a>.</p> + <p><a data-link-type="dfn" href="#largeblob" id="ref-for-largeblob①">This extension</a> directs the user-agent to cause the large blob to be stored on, or retrieved from, the authenticator. It thus does not specify any direct authenticator interaction for <a data-link-type="dfn" href="#relying-party" id="ref-for-relying-party③②⑦">Relying Parties</a>.</p> </dl> <h3 class="heading settled" data-level="10.2" id="sctn-defined-authenticator-extensions"><span class="secno">10.2. </span><span class="content">Authenticator Extensions</span><a class="self-link" href="#sctn-defined-authenticator-extensions"></a></h3> <p>This section defines extensions that are both <a data-link-type="dfn" href="#client-extension" id="ref-for-client-extension①②">client extensions</a> and <a data-link-type="dfn" href="#authenticator-extension" id="ref-for-authenticator-extension①②">authenticator extensions</a>.</p> @@ -8225,7 +8228,7 @@ <h3 class="heading settled" data-level="11.5" id="sctn-automation-add-credential <li data-md> <p>Let <var>rpId</var> be the <var>parameters</var>’ <var>rpId</var> property.</p> <li data-md> - <p>If <var>rpId</var> is not a valid <a data-link-type="dfn" href="#rp-id" id="ref-for-rp-id⑤②">RP ID</a>, return a <a data-link-type="dfn" href="https://w3c.github.io/webdriver/#dfn-error" id="ref-for-dfn-error①①">WebDriver error</a> with <a data-link-type="dfn" href="https://w3c.github.io/webdriver/#dfn-error-code" id="ref-for-dfn-error-code①①">WebDriver error code</a> <a data-link-type="dfn" href="https://w3c.github.io/webdriver/#dfn-invalid-argument" id="ref-for-dfn-invalid-argument①⓪">invalid argument</a>.</p> + <p>If <var>rpId</var> is not a valid <a data-link-type="dfn" href="#rp-id" id="ref-for-rp-id⑤④">RP ID</a>, return a <a data-link-type="dfn" href="https://w3c.github.io/webdriver/#dfn-error" id="ref-for-dfn-error①①">WebDriver error</a> with <a data-link-type="dfn" href="https://w3c.github.io/webdriver/#dfn-error-code" id="ref-for-dfn-error-code①①">WebDriver error code</a> <a data-link-type="dfn" href="https://w3c.github.io/webdriver/#dfn-invalid-argument" id="ref-for-dfn-invalid-argument①⓪">invalid argument</a>.</p> <li data-md> <p>Let <var>privateKey</var> be the result of decoding <a data-link-type="dfn" href="#base64url-encoding" id="ref-for-base64url-encoding③③">Base64url Encoding</a> on the <var>parameters</var>’ <var>privateKey</var> property.</p> <li data-md> @@ -8572,13 +8575,13 @@ <h3 class="heading settled" data-level="12.4" id="sctn-extensions-reg"><span cla <p>WebAuthn Extension Identifier: credProps</p> <li data-md> <p>Description: This <a data-link-type="dfn" href="#client-extension" id="ref-for-client-extension①③">client</a> <a data-link-type="dfn" href="#registration-extension" id="ref-for-registration-extension②①">registration extension</a> enables reporting of a newly-created <a data-link-type="dfn" href="https://w3c.github.io/webappsec-credential-management/#concept-credential" id="ref-for-concept-credential②⑥">credential</a>'s properties, -as determined by the <a data-link-type="dfn" href="#client" id="ref-for-client①⓪⑦">client</a>, to the calling <a data-link-type="dfn" href="#webauthn-relying-party" id="ref-for-webauthn-relying-party⑥③">WebAuthn Relying Party</a>'s <a data-link-type="dfn" href="#web-application" id="ref-for-web-application⑤">web application</a>.</p> +as determined by the <a data-link-type="dfn" href="#client" id="ref-for-client①⓪⑧">client</a>, to the calling <a data-link-type="dfn" href="#webauthn-relying-party" id="ref-for-webauthn-relying-party⑥③">WebAuthn Relying Party</a>'s <a data-link-type="dfn" href="#web-application" id="ref-for-web-application⑤">web application</a>.</p> <li data-md> <p>Specification Document: Section <a href="#sctn-authenticator-credential-properties-extension">§ 10.1.3 Credential Properties Extension (credProps)</a> of this specification <br><br></p> <li data-md> <p>WebAuthn Extension Identifier: largeBlob</p> <li data-md> - <p>Description: This <a data-link-type="dfn" href="#client-extension" id="ref-for-client-extension①④">client</a> <a data-link-type="dfn" href="#registration-extension" id="ref-for-registration-extension②②">registration extension</a> and <a data-link-type="dfn" href="#authentication-extension" id="ref-for-authentication-extension②①">authentication extension</a> allows a <a data-link-type="dfn" href="#relying-party" id="ref-for-relying-party③②⑦">Relying Party</a> to store opaque data associated with a credential.</p> + <p>Description: This <a data-link-type="dfn" href="#client-extension" id="ref-for-client-extension①④">client</a> <a data-link-type="dfn" href="#registration-extension" id="ref-for-registration-extension②②">registration extension</a> and <a data-link-type="dfn" href="#authentication-extension" id="ref-for-authentication-extension②①">authentication extension</a> allows a <a data-link-type="dfn" href="#relying-party" id="ref-for-relying-party③②⑧">Relying Party</a> to store opaque data associated with a credential.</p> <li data-md> <p>Specification Document: Section <a href="#sctn-large-blob-extension">§ 10.1.5 Large blob storage extension (largeBlob)</a> of this specification</p> </ul> @@ -8586,39 +8589,39 @@ <h2 class="heading settled" data-level="13" id="sctn-security-considerations"><s <p>This specification defines a <a href="#sctn-api">Web API</a> and a cryptographic peer-entity authentication protocol. The <a data-link-type="dfn" href="#web-authentication-api" id="ref-for-web-authentication-api①⑦">Web Authentication API</a> allows Web developers (i.e., "authors") to utilize the Web Authentication protocol in their <a data-link-type="dfn" href="#registration" id="ref-for-registration②②">registration</a> and <a data-link-type="dfn" href="#authentication" id="ref-for-authentication①⑤">authentication</a> <a data-link-type="dfn" href="#ceremony" id="ref-for-ceremony①③">ceremonies</a>. The entities comprising the Web Authentication protocol endpoints are user-controlled <a data-link-type="dfn" href="#webauthn-authenticator" id="ref-for-webauthn-authenticator①⓪">WebAuthn Authenticators</a> and a <a data-link-type="dfn" href="#webauthn-relying-party" id="ref-for-webauthn-relying-party⑥④">WebAuthn Relying Party</a>'s -computing environment hosting the <a data-link-type="dfn" href="#relying-party" id="ref-for-relying-party③②⑧">Relying Party</a>'s <a data-link-type="dfn" href="#web-application" id="ref-for-web-application⑥">web application</a>. -In this model, the user agent, together with the <a data-link-type="dfn" href="#webauthn-client" id="ref-for-webauthn-client②①">WebAuthn Client</a>, comprise an intermediary between <a data-link-type="dfn" href="#authenticator" id="ref-for-authenticator②⑥⑦">authenticators</a> and <a data-link-type="dfn" href="#relying-party" id="ref-for-relying-party③②⑨">Relying Parties</a>. -Additionally, <a data-link-type="dfn" href="#authenticator" id="ref-for-authenticator②⑥⑧">authenticators</a> can <a data-link-type="dfn" href="#attestation" id="ref-for-attestation②④">attest</a> to <a data-link-type="dfn" href="#relying-party" id="ref-for-relying-party③③⓪">Relying Parties</a> as to their provenance.</p> +computing environment hosting the <a data-link-type="dfn" href="#relying-party" id="ref-for-relying-party③②⑨">Relying Party</a>'s <a data-link-type="dfn" href="#web-application" id="ref-for-web-application⑥">web application</a>. +In this model, the user agent, together with the <a data-link-type="dfn" href="#webauthn-client" id="ref-for-webauthn-client②①">WebAuthn Client</a>, comprise an intermediary between <a data-link-type="dfn" href="#authenticator" id="ref-for-authenticator②⑥⑦">authenticators</a> and <a data-link-type="dfn" href="#relying-party" id="ref-for-relying-party③③⓪">Relying Parties</a>. +Additionally, <a data-link-type="dfn" href="#authenticator" id="ref-for-authenticator②⑥⑧">authenticators</a> can <a data-link-type="dfn" href="#attestation" id="ref-for-attestation②④">attest</a> to <a data-link-type="dfn" href="#relying-party" id="ref-for-relying-party③③①">Relying Parties</a> as to their provenance.</p> <p>At this time, this specification does not feature detailed security considerations. However, the <a data-link-type="biblio" href="#biblio-fidosecref" title="FIDO Security Reference">[FIDOSecRef]</a> document provides a security analysis which is overall applicable to this specification. Also, the <a data-link-type="biblio" href="#biblio-fidoauthnrsecreqs" title="FIDO Authenticator Security Requirements">[FIDOAuthnrSecReqs]</a> document suite provides useful information about <a data-link-type="dfn" href="#authenticator" id="ref-for-authenticator②⑥⑨">authenticator</a> security characteristics.</p> <p>The below subsections comprise the current Web Authentication-specific security considerations. They are divided by audience; general security considerations are direct subsections of this section, -while security considerations specifically for <a data-link-type="dfn" href="#authenticator" id="ref-for-authenticator②⑦⓪">authenticator</a>, <a data-link-type="dfn" href="#client" id="ref-for-client①⓪⑧">client</a> and <a data-link-type="dfn" href="#relying-party" id="ref-for-relying-party③③①">Relying Party</a> implementers +while security considerations specifically for <a data-link-type="dfn" href="#authenticator" id="ref-for-authenticator②⑦⓪">authenticator</a>, <a data-link-type="dfn" href="#client" id="ref-for-client①⓪⑨">client</a> and <a data-link-type="dfn" href="#relying-party" id="ref-for-relying-party③③②">Relying Party</a> implementers are grouped into respective subsections.</p> <h3 class="heading settled" data-level="13.1" id="sctn-credentialIdSecurity"><span class="secno">13.1. </span><span class="content">Credential ID Unsigned</span><a class="self-link" href="#sctn-credentialIdSecurity"></a></h3> <p>The <a data-link-type="dfn" href="#credential-id" id="ref-for-credential-id④⑦">credential ID</a> accompanying an <a data-link-type="dfn" href="#authentication-assertion" id="ref-for-authentication-assertion①④">authentication assertion</a> is not signed. This is not a problem because all that would happen if an <a data-link-type="dfn" href="#authenticator" id="ref-for-authenticator②⑦①">authenticator</a> returns the wrong <a data-link-type="dfn" href="#credential-id" id="ref-for-credential-id④⑧">credential ID</a>, or if an attacker intercepts and manipulates the <a data-link-type="dfn" href="#credential-id" id="ref-for-credential-id④⑨">credential ID</a>, is that the <a data-link-type="dfn" href="#webauthn-relying-party" id="ref-for-webauthn-relying-party⑥⑤">WebAuthn Relying Party</a> would not look up the correct <a data-link-type="dfn" href="#credential-public-key" id="ref-for-credential-public-key③⑤">credential public key</a> with which to verify the returned signed <a data-link-type="dfn" href="#authenticator-data" id="ref-for-authenticator-data⑤⑦">authenticator data</a> (a.k.a., <a data-link-type="dfn" href="#assertion" id="ref-for-assertion①⓪">assertion</a>), and thus the interaction would end in an error.</p> <h3 class="heading settled" data-level="13.2" id="sctn-client-authenticator-proximity"><span class="secno">13.2. </span><span class="content">Physical Proximity between Client and Authenticator</span><a class="self-link" href="#sctn-client-authenticator-proximity"></a></h3> - <p>In the WebAuthn <a data-link-type="dfn" href="#authenticator-model" id="ref-for-authenticator-model④">authenticator model</a>, it is generally assumed that <a data-link-type="dfn" href="#roaming-authenticators" id="ref-for-roaming-authenticators②④">roaming authenticators</a> are physically close to, and communicate directly with, the <a data-link-type="dfn" href="#client" id="ref-for-client①⓪⑨">client</a>. + <p>In the WebAuthn <a data-link-type="dfn" href="#authenticator-model" id="ref-for-authenticator-model④">authenticator model</a>, it is generally assumed that <a data-link-type="dfn" href="#roaming-authenticators" id="ref-for-roaming-authenticators②④">roaming authenticators</a> are physically close to, and communicate directly with, the <a data-link-type="dfn" href="#client" id="ref-for-client①①⓪">client</a>. This arrangement has some important advantages.</p> - <p>The promise of physical proximity between <a data-link-type="dfn" href="#client" id="ref-for-client①①⓪">client</a> and <a data-link-type="dfn" href="#authenticator" id="ref-for-authenticator②⑦②">authenticator</a> is a key strength of a <a data-link-type="dfn" href="https://pages.nist.gov/800-63-3/sp800-63-3.html#af" id="ref-for-af②⑤">something you have</a> <a data-link-type="dfn" href="https://pages.nist.gov/800-63-3/sp800-63-3.html#af" id="ref-for-af②⑥">authentication factor</a>. + <p>The promise of physical proximity between <a data-link-type="dfn" href="#client" id="ref-for-client①①①">client</a> and <a data-link-type="dfn" href="#authenticator" id="ref-for-authenticator②⑦②">authenticator</a> is a key strength of a <a data-link-type="dfn" href="https://pages.nist.gov/800-63-3/sp800-63-3.html#af" id="ref-for-af②⑤">something you have</a> <a data-link-type="dfn" href="https://pages.nist.gov/800-63-3/sp800-63-3.html#af" id="ref-for-af②⑥">authentication factor</a>. For example, if a <a data-link-type="dfn" href="#roaming-authenticators" id="ref-for-roaming-authenticators②⑤">roaming authenticator</a> can communicate only via USB or Bluetooth, the limited range of these transports ensures that any malicious actor must physically be within that range in order to interact with the <a data-link-type="dfn" href="#authenticator" id="ref-for-authenticator②⑦③">authenticator</a>. This is not necessarily true of an <a data-link-type="dfn" href="#authenticator" id="ref-for-authenticator②⑦④">authenticator</a> that can be invoked remotely — even if the <a data-link-type="dfn" href="#authenticator" id="ref-for-authenticator②⑦⑤">authenticator</a> verifies <a data-link-type="dfn" href="#concept-user-present" id="ref-for-concept-user-present④">user presence</a>, users can be tricked into authorizing remotely initiated malicious requests.</p> - <p>Direct communication between <a data-link-type="dfn" href="#client" id="ref-for-client①①①">client</a> and <a data-link-type="dfn" href="#authenticator" id="ref-for-authenticator②⑦⑥">authenticator</a> means the <a data-link-type="dfn" href="#client" id="ref-for-client①①②">client</a> can enforce the <a data-link-type="dfn" href="#scope" id="ref-for-scope②⓪">scope</a> restrictions for <a data-link-type="dfn" href="https://w3c.github.io/webappsec-credential-management/#concept-credential" id="ref-for-concept-credential②⑦">credentials</a>. -By contrast, if the communication between <a data-link-type="dfn" href="#client" id="ref-for-client①①③">client</a> and <a data-link-type="dfn" href="#authenticator" id="ref-for-authenticator②⑦⑦">authenticator</a> is mediated by some third party, -then the <a data-link-type="dfn" href="#client" id="ref-for-client①①④">client</a> has to trust the third party to + <p>Direct communication between <a data-link-type="dfn" href="#client" id="ref-for-client①①②">client</a> and <a data-link-type="dfn" href="#authenticator" id="ref-for-authenticator②⑦⑥">authenticator</a> means the <a data-link-type="dfn" href="#client" id="ref-for-client①①③">client</a> can enforce the <a data-link-type="dfn" href="#scope" id="ref-for-scope②⓪">scope</a> restrictions for <a data-link-type="dfn" href="https://w3c.github.io/webappsec-credential-management/#concept-credential" id="ref-for-concept-credential②⑦">credentials</a>. +By contrast, if the communication between <a data-link-type="dfn" href="#client" id="ref-for-client①①④">client</a> and <a data-link-type="dfn" href="#authenticator" id="ref-for-authenticator②⑦⑦">authenticator</a> is mediated by some third party, +then the <a data-link-type="dfn" href="#client" id="ref-for-client①①⑤">client</a> has to trust the third party to enforce the <a data-link-type="dfn" href="#scope" id="ref-for-scope②①">scope</a> restrictions and control access to the <a data-link-type="dfn" href="#authenticator" id="ref-for-authenticator②⑦⑧">authenticator</a>. Failure to do either could result in -a malicious <a data-link-type="dfn" href="#relying-party" id="ref-for-relying-party③③②">Relying Party</a> receiving <a data-link-type="dfn" href="#authentication-assertion" id="ref-for-authentication-assertion①⑤">authentication assertions</a> valid for other <a data-link-type="dfn" href="#relying-party" id="ref-for-relying-party③③③">Relying Parties</a>, +a malicious <a data-link-type="dfn" href="#relying-party" id="ref-for-relying-party③③③">Relying Party</a> receiving <a data-link-type="dfn" href="#authentication-assertion" id="ref-for-authentication-assertion①⑤">authentication assertions</a> valid for other <a data-link-type="dfn" href="#relying-party" id="ref-for-relying-party③③④">Relying Parties</a>, or in a malicious user gaining access to <a data-link-type="dfn" href="#authentication-assertion" id="ref-for-authentication-assertion①⑥">authentication assertions</a> for other users.</p> - <p>If designing a solution where the <a data-link-type="dfn" href="#authenticator" id="ref-for-authenticator②⑦⑨">authenticator</a> does not need to be physically close to the <a data-link-type="dfn" href="#client" id="ref-for-client①①⑤">client</a>, -or where <a data-link-type="dfn" href="#client" id="ref-for-client①①⑥">client</a> and <a data-link-type="dfn" href="#authenticator" id="ref-for-authenticator②⑧⓪">authenticator</a> do not communicate directly, + <p>If designing a solution where the <a data-link-type="dfn" href="#authenticator" id="ref-for-authenticator②⑦⑨">authenticator</a> does not need to be physically close to the <a data-link-type="dfn" href="#client" id="ref-for-client①①⑥">client</a>, +or where <a data-link-type="dfn" href="#client" id="ref-for-client①①⑦">client</a> and <a data-link-type="dfn" href="#authenticator" id="ref-for-authenticator②⑧⓪">authenticator</a> do not communicate directly, designers SHOULD consider how this affects the enforcement of <a data-link-type="dfn" href="#scope" id="ref-for-scope②②">scope</a> restrictions and the strength of the <a data-link-type="dfn" href="#authenticator" id="ref-for-authenticator②⑧①">authenticator</a> as a <a data-link-type="dfn" href="https://pages.nist.gov/800-63-3/sp800-63-3.html#af" id="ref-for-af②⑦">something you have</a> authentication factor.</p> <h3 class="heading settled" data-level="13.3" id="sctn-security-considerations-authenticator"><span class="secno">13.3. </span><span class="content">Security considerations for <a data-link-type="dfn" href="#authenticator" id="ref-for-authenticator②⑧②">authenticators</a> <span id="sctn-attestation-security-considerations"></span></span><a class="self-link" href="#sctn-security-considerations-authenticator"></a></h3> @@ -8637,38 +8640,38 @@ <h4 class="heading settled" data-level="13.3.2" id="sctn-ca-compromise"><span cl Authenticator manufacturer may need to ship a firmware update and inject new <a data-link-type="dfn" href="#attestation-private-key" id="ref-for-attestation-private-key⑤">attestation private keys</a> and <a data-link-type="dfn" href="#attestation-certificate" id="ref-for-attestation-certificate①①">certificates</a> into already manufactured <a data-link-type="dfn" href="#webauthn-authenticator" id="ref-for-webauthn-authenticator①⑥">WebAuthn Authenticators</a>, if the exposure was due to a firmware flaw. (The process by which this happens is out of scope for this specification.) If the <a data-link-type="dfn" href="#webauthn-authenticator" id="ref-for-webauthn-authenticator①⑦">WebAuthn Authenticator</a> manufacturer does not have this capability, then it may not be -possible for <a data-link-type="dfn" href="#relying-party" id="ref-for-relying-party③③④">Relying Parties</a> to trust any further <a data-link-type="dfn" href="#attestation-statement" id="ref-for-attestation-statement③⑨">attestation statements</a> from the affected <a data-link-type="dfn" href="#webauthn-authenticator" id="ref-for-webauthn-authenticator①⑧">WebAuthn Authenticators</a>.</p> - <p>See also the related security consideration for <a data-link-type="dfn" href="#relying-party" id="ref-for-relying-party③③⑤">Relying Parties</a> in <a href="#sctn-revoked-attestation-certificates">§ 13.4.5 Revoked Attestation Certificates</a>.</p> - <h3 class="heading settled" data-level="13.4" id="sctn-security-considerations-rp"><span class="secno">13.4. </span><span class="content">Security considerations for <a data-link-type="dfn" href="#relying-party" id="ref-for-relying-party③③⑥">Relying Parties</a></span><a class="self-link" href="#sctn-security-considerations-rp"></a></h3> +possible for <a data-link-type="dfn" href="#relying-party" id="ref-for-relying-party③③⑤">Relying Parties</a> to trust any further <a data-link-type="dfn" href="#attestation-statement" id="ref-for-attestation-statement③⑨">attestation statements</a> from the affected <a data-link-type="dfn" href="#webauthn-authenticator" id="ref-for-webauthn-authenticator①⑧">WebAuthn Authenticators</a>.</p> + <p>See also the related security consideration for <a data-link-type="dfn" href="#relying-party" id="ref-for-relying-party③③⑥">Relying Parties</a> in <a href="#sctn-revoked-attestation-certificates">§ 13.4.5 Revoked Attestation Certificates</a>.</p> + <h3 class="heading settled" data-level="13.4" id="sctn-security-considerations-rp"><span class="secno">13.4. </span><span class="content">Security considerations for <a data-link-type="dfn" href="#relying-party" id="ref-for-relying-party③③⑦">Relying Parties</a></span><a class="self-link" href="#sctn-security-considerations-rp"></a></h3> <h4 class="heading settled" data-level="13.4.1" id="sctn-rp-benefits"><span class="secno">13.4.1. </span><span class="content">Security Benefits for WebAuthn Relying Parties</span><a class="self-link" href="#sctn-rp-benefits"></a></h4> <p>The main benefits offered to <a data-link-type="dfn" href="#webauthn-relying-party" id="ref-for-webauthn-relying-party⑥⑦">WebAuthn Relying Parties</a> by this specification include:</p> <ol> <li data-md> <p>Users and accounts can be secured using widely compatible, easy-to-use multi-factor authentication.</p> <li data-md> - <p>The <a data-link-type="dfn" href="#relying-party" id="ref-for-relying-party③③⑦">Relying Party</a> does not need to provision <a data-link-type="dfn" href="#authenticator" id="ref-for-authenticator②⑧④">authenticator</a> hardware to its users. Instead, each user can independently obtain -any conforming <a data-link-type="dfn" href="#authenticator" id="ref-for-authenticator②⑧⑤">authenticator</a> and use that same <a data-link-type="dfn" href="#authenticator" id="ref-for-authenticator②⑧⑥">authenticator</a> with any number of <a data-link-type="dfn" href="#relying-party" id="ref-for-relying-party③③⑧">Relying Parties</a>. The <a data-link-type="dfn" href="#relying-party" id="ref-for-relying-party③③⑨">Relying Party</a> can optionally + <p>The <a data-link-type="dfn" href="#relying-party" id="ref-for-relying-party③③⑧">Relying Party</a> does not need to provision <a data-link-type="dfn" href="#authenticator" id="ref-for-authenticator②⑧④">authenticator</a> hardware to its users. Instead, each user can independently obtain +any conforming <a data-link-type="dfn" href="#authenticator" id="ref-for-authenticator②⑧⑤">authenticator</a> and use that same <a data-link-type="dfn" href="#authenticator" id="ref-for-authenticator②⑧⑥">authenticator</a> with any number of <a data-link-type="dfn" href="#relying-party" id="ref-for-relying-party③③⑨">Relying Parties</a>. The <a data-link-type="dfn" href="#relying-party" id="ref-for-relying-party③④⓪">Relying Party</a> can optionally enforce requirements on <a data-link-type="dfn" href="#authenticator" id="ref-for-authenticator②⑧⑦">authenticators</a>' security properties by inspecting the <a data-link-type="dfn" href="#attestation-statement" id="ref-for-attestation-statement④⓪">attestation statements</a> returned from the <a data-link-type="dfn" href="#authenticator" id="ref-for-authenticator②⑧⑧">authenticators</a>.</p> <li data-md> <p><a data-link-type="dfn" href="#authentication-ceremony" id="ref-for-authentication-ceremony④⓪">Authentication ceremonies</a> are resistant to <a data-link-type="dfn" href="https://tools.ietf.org/html/rfc4949#page-186" id="ref-for-page-186">man-in-the-middle attacks</a>. Regarding <a data-link-type="dfn" href="#registration-ceremony" id="ref-for-registration-ceremony②⓪">registration ceremonies</a>, see <a href="#sctn-attestation-limitations">§ 13.4.4 Attestation Limitations</a>, below.</p> <li data-md> - <p>The <a data-link-type="dfn" href="#relying-party" id="ref-for-relying-party③④⓪">Relying Party</a> can automatically support multiple types of <a data-link-type="dfn" href="#user-verification" id="ref-for-user-verification⑤⑦">user verification</a> - for example PIN, biometrics and/or future + <p>The <a data-link-type="dfn" href="#relying-party" id="ref-for-relying-party③④①">Relying Party</a> can automatically support multiple types of <a data-link-type="dfn" href="#user-verification" id="ref-for-user-verification⑤⑦">user verification</a> - for example PIN, biometrics and/or future methods - with little or no code change, and can let each user decide which they prefer to use via their choice of <a data-link-type="dfn" href="#authenticator" id="ref-for-authenticator②⑧⑨">authenticator</a>.</p> <li data-md> - <p>The <a data-link-type="dfn" href="#relying-party" id="ref-for-relying-party③④①">Relying Party</a> does not need to store additional secrets in order to gain the above benefits.</p> + <p>The <a data-link-type="dfn" href="#relying-party" id="ref-for-relying-party③④②">Relying Party</a> does not need to store additional secrets in order to gain the above benefits.</p> </ol> - <p>As stated in the <a href="#sctn-conforming-relying-parties">Conformance</a> section, the <a data-link-type="dfn" href="#relying-party" id="ref-for-relying-party③④②">Relying Party</a> MUST behave as described in <a href="#sctn-rp-operations">§ 7 WebAuthn Relying Party Operations</a> to obtain all of the above security benefits. However, one notable use case that departs slightly from this is described below in <a href="#sctn-attestation-limitations">§ 13.4.4 Attestation Limitations</a>.</p> + <p>As stated in the <a href="#sctn-conforming-relying-parties">Conformance</a> section, the <a data-link-type="dfn" href="#relying-party" id="ref-for-relying-party③④③">Relying Party</a> MUST behave as described in <a href="#sctn-rp-operations">§ 7 WebAuthn Relying Party Operations</a> to obtain all of the above security benefits. However, one notable use case that departs slightly from this is described below in <a href="#sctn-attestation-limitations">§ 13.4.4 Attestation Limitations</a>.</p> <h4 class="heading settled" data-level="13.4.2" id="sctn-seccons-visibility"><span class="secno">13.4.2. </span><span class="content">Visibility Considerations for Embedded Usage</span><a class="self-link" href="#sctn-seccons-visibility"></a></h4> - <p>Simplistic use of WebAuthn in an embedded context, e.g., within <code><a data-link-type="element" href="https://html.spec.whatwg.org/multipage/iframe-embed-object.html#the-iframe-element" id="ref-for-the-iframe-element③">iframe</a></code>s as described in <a href="#sctn-iframe-guidance">§ 5.10 Using Web Authentication within iframe elements</a>, may make users vulnerable to <dfn class="dfn-paneled" data-dfn-type="dfn" data-noexport id="ui-redressing">UI Redressing</dfn> attacks, also known as "<a href="https://en.wikipedia.org/wiki/Clickjacking">Clickjacking</a>". This is where an attacker overlays their own UI on top of a <a data-link-type="dfn" href="#relying-party" id="ref-for-relying-party③④③">Relying Party</a>'s intended UI and attempts to trick the user into performing unintended actions with the <a data-link-type="dfn" href="#relying-party" id="ref-for-relying-party③④④">Relying Party</a>. For example, using these techniques, an attacker might be able to trick users into purchasing items, transferring money, etc.</p> - <p>Even though WebAuthn-specific UI is typically handled by the <a data-link-type="dfn" href="#client-platform" id="ref-for-client-platform⑤⑦">client platform</a> and thus is not vulnerable to <a data-link-type="dfn" href="#ui-redressing" id="ref-for-ui-redressing①">UI Redressing</a>, it is likely important for an <a data-link-type="dfn" href="#relying-party" id="ref-for-relying-party③④⑤">Relying Party</a> having embedded WebAuthn-wielding content to ensure that their content’s UI is visible to the user. An emerging means to do so is by observing the status of the experimental <a href="https://w3c.github.io/IntersectionObserver/v2/">Intersection Observer v2</a>'s <code>isVisible</code> attribute. For example, the <a data-link-type="dfn" href="#relying-party" id="ref-for-relying-party③④⑥">Relying Party</a>'s script running in the embedded context could pre-emptively load itself in a popup window if it detects <code>isVisble</code> being set to <code>false</code>, thus side-stepping any occlusion of their content.</p> + <p>Simplistic use of WebAuthn in an embedded context, e.g., within <code><a data-link-type="element" href="https://html.spec.whatwg.org/multipage/iframe-embed-object.html#the-iframe-element" id="ref-for-the-iframe-element③">iframe</a></code>s as described in <a href="#sctn-iframe-guidance">§ 5.10 Using Web Authentication within iframe elements</a>, may make users vulnerable to <dfn class="dfn-paneled" data-dfn-type="dfn" data-noexport id="ui-redressing">UI Redressing</dfn> attacks, also known as "<a href="https://en.wikipedia.org/wiki/Clickjacking">Clickjacking</a>". This is where an attacker overlays their own UI on top of a <a data-link-type="dfn" href="#relying-party" id="ref-for-relying-party③④④">Relying Party</a>'s intended UI and attempts to trick the user into performing unintended actions with the <a data-link-type="dfn" href="#relying-party" id="ref-for-relying-party③④⑤">Relying Party</a>. For example, using these techniques, an attacker might be able to trick users into purchasing items, transferring money, etc.</p> + <p>Even though WebAuthn-specific UI is typically handled by the <a data-link-type="dfn" href="#client-platform" id="ref-for-client-platform⑤⑦">client platform</a> and thus is not vulnerable to <a data-link-type="dfn" href="#ui-redressing" id="ref-for-ui-redressing①">UI Redressing</a>, it is likely important for an <a data-link-type="dfn" href="#relying-party" id="ref-for-relying-party③④⑥">Relying Party</a> having embedded WebAuthn-wielding content to ensure that their content’s UI is visible to the user. An emerging means to do so is by observing the status of the experimental <a href="https://w3c.github.io/IntersectionObserver/v2/">Intersection Observer v2</a>'s <code>isVisible</code> attribute. For example, the <a data-link-type="dfn" href="#relying-party" id="ref-for-relying-party③④⑦">Relying Party</a>'s script running in the embedded context could pre-emptively load itself in a popup window if it detects <code>isVisble</code> being set to <code>false</code>, thus side-stepping any occlusion of their content.</p> <h4 class="heading settled" data-level="13.4.3" id="sctn-cryptographic-challenges"><span class="secno">13.4.3. </span><span class="content">Cryptographic Challenges</span><a class="self-link" href="#sctn-cryptographic-challenges"></a></h4> <p>As a cryptographic protocol, Web Authentication is dependent upon randomized challenges to avoid replay attacks. Therefore, the values of both <code class="idl"><a data-link-type="idl" href="#dictdef-publickeycredentialcreationoptions" id="ref-for-dictdef-publickeycredentialcreationoptions①②">PublicKeyCredentialCreationOptions</a></code>.<code class="idl"><a data-link-type="idl" href="#dom-publickeycredentialcreationoptions-challenge" id="ref-for-dom-publickeycredentialcreationoptions-challenge③">challenge</a></code> and <code class="idl"><a data-link-type="idl" href="#dictdef-publickeycredentialrequestoptions" id="ref-for-dictdef-publickeycredentialrequestoptions①②">PublicKeyCredentialRequestOptions</a></code>.<code class="idl"><a data-link-type="idl" href="#dom-publickeycredentialrequestoptions-challenge" id="ref-for-dom-publickeycredentialrequestoptions-challenge④">challenge</a></code> MUST be randomly generated -by <a data-link-type="dfn" href="#relying-party" id="ref-for-relying-party③④⑦">Relying Parties</a> in an environment they trust (e.g., on the server-side), and the +by <a data-link-type="dfn" href="#relying-party" id="ref-for-relying-party③④⑧">Relying Parties</a> in an environment they trust (e.g., on the server-side), and the returned <code class="idl"><a data-link-type="idl" href="#dom-collectedclientdata-challenge" id="ref-for-dom-collectedclientdata-challenge⑧">challenge</a></code> value in the client’s response MUST match what was generated. This SHOULD be done in a fashion that does not rely -upon a client’s behavior, e.g., the <a data-link-type="dfn" href="#relying-party" id="ref-for-relying-party③④⑧">Relying Party</a> SHOULD store the challenge temporarily +upon a client’s behavior, e.g., the <a data-link-type="dfn" href="#relying-party" id="ref-for-relying-party③④⑨">Relying Party</a> SHOULD store the challenge temporarily until the operation is complete. Tolerating a mismatch will compromise the security of the protocol.</p> <p>Challenges SHOULD be valid for a duration similar to the @@ -8681,111 +8684,111 @@ <h4 class="heading settled" data-level="13.4.4" id="sctn-attestation-limitations may allow the <a data-link-type="dfn" href="#webauthn-relying-party" id="ref-for-webauthn-relying-party⑥⑧">WebAuthn Relying Party</a> to derive assurances about various <a data-link-type="dfn" href="#authenticator" id="ref-for-authenticator②⑨⓪">authenticator</a> qualities. For example, the <a data-link-type="dfn" href="#authenticator" id="ref-for-authenticator②⑨①">authenticator</a> model, or how it stores and protects <a data-link-type="dfn" href="#credential-private-key" id="ref-for-credential-private-key①⑦">credential private keys</a>. However, it is important to note that an <a data-link-type="dfn" href="#attestation-statement" id="ref-for-attestation-statement④②">attestation statement</a>, on its own, -provides no means for a <a data-link-type="dfn" href="#relying-party" id="ref-for-relying-party③④⑨">Relying Party</a> to verify that an <a data-link-type="dfn" href="#attestation-object" id="ref-for-attestation-object①⑧">attestation object</a> was generated +provides no means for a <a data-link-type="dfn" href="#relying-party" id="ref-for-relying-party③⑤⓪">Relying Party</a> to verify that an <a data-link-type="dfn" href="#attestation-object" id="ref-for-attestation-object①⑧">attestation object</a> was generated by the <a data-link-type="dfn" href="#authenticator" id="ref-for-authenticator②⑨②">authenticator</a> the user intended, and not by a <a data-link-type="dfn" href="https://tools.ietf.org/html/rfc4949#page-186" id="ref-for-page-186①">man-in-the-middle attacker</a>. -For example, such an attacker could use malicious code injected into <a data-link-type="dfn" href="#relying-party" id="ref-for-relying-party③⑤⓪">Relying Party</a> script. -The <a data-link-type="dfn" href="#relying-party" id="ref-for-relying-party③⑤①">Relying Party</a> must therefore rely on other means, e.g., TLS and related technologies, +For example, such an attacker could use malicious code injected into <a data-link-type="dfn" href="#relying-party" id="ref-for-relying-party③⑤①">Relying Party</a> script. +The <a data-link-type="dfn" href="#relying-party" id="ref-for-relying-party③⑤②">Relying Party</a> must therefore rely on other means, e.g., TLS and related technologies, to protect the <a data-link-type="dfn" href="#attestation-object" id="ref-for-attestation-object①⑨">attestation object</a> from <a data-link-type="dfn" href="https://tools.ietf.org/html/rfc4949#page-186" id="ref-for-page-186②">man-in-the-middle attacks</a>.</p> <p>Under the assumption that a <a data-link-type="dfn" href="#registration-ceremony" id="ref-for-registration-ceremony②①">registration ceremony</a> is completed securely, and that the <a data-link-type="dfn" href="#authenticator" id="ref-for-authenticator②⑨③">authenticator</a> maintains confidentiality of the <a data-link-type="dfn" href="#credential-private-key" id="ref-for-credential-private-key①⑧">credential private key</a>, subsequent <a data-link-type="dfn" href="#authentication-ceremony" id="ref-for-authentication-ceremony④①">authentication ceremonies</a> using that <a data-link-type="dfn" href="#public-key-credential" id="ref-for-public-key-credential⑥①">public key credential</a> are resistant to tampering by <a data-link-type="dfn" href="https://tools.ietf.org/html/rfc4949#page-186" id="ref-for-page-186③">man-in-the-middle attacks</a>.</p> <p>The discussion above holds for all <a data-link-type="dfn" href="#attestation-type" id="ref-for-attestation-type②④">attestation types</a>. In all cases it is possible for a <a data-link-type="dfn" href="https://tools.ietf.org/html/rfc4949#page-186" id="ref-for-page-186④">man-in-the-middle attacker</a> to replace the <code class="idl"><a data-link-type="idl" href="#publickeycredential" id="ref-for-publickeycredential③⓪">PublicKeyCredential</a></code> object, including the <a data-link-type="dfn" href="#attestation-statement" id="ref-for-attestation-statement④③">attestation statement</a> and the <a data-link-type="dfn" href="#credential-public-key" id="ref-for-credential-public-key③⑥">credential public key</a> to be registered, and subsequently tamper with future <a data-link-type="dfn" href="#authentication-assertion" id="ref-for-authentication-assertion①⑦">authentication assertions</a> <a data-link-type="dfn" href="#scope" id="ref-for-scope②③">scoped</a> for the -same <a data-link-type="dfn" href="#relying-party" id="ref-for-relying-party③⑤②">Relying Party</a> and passing through the same attacker.</p> - <p>Such an attack would potentially be detectable; since the <a data-link-type="dfn" href="#relying-party" id="ref-for-relying-party③⑤③">Relying Party</a> has registered the attacker’s <a data-link-type="dfn" href="#credential-public-key" id="ref-for-credential-public-key③⑦">credential public key</a> rather -than the user’s, the attacker must tamper with all subsequent <a data-link-type="dfn" href="#authentication-ceremony" id="ref-for-authentication-ceremony④②">authentication ceremonies</a> with that <a data-link-type="dfn" href="#relying-party" id="ref-for-relying-party③⑤④">Relying Party</a>: unscathed +same <a data-link-type="dfn" href="#relying-party" id="ref-for-relying-party③⑤③">Relying Party</a> and passing through the same attacker.</p> + <p>Such an attack would potentially be detectable; since the <a data-link-type="dfn" href="#relying-party" id="ref-for-relying-party③⑤④">Relying Party</a> has registered the attacker’s <a data-link-type="dfn" href="#credential-public-key" id="ref-for-credential-public-key③⑦">credential public key</a> rather +than the user’s, the attacker must tamper with all subsequent <a data-link-type="dfn" href="#authentication-ceremony" id="ref-for-authentication-ceremony④②">authentication ceremonies</a> with that <a data-link-type="dfn" href="#relying-party" id="ref-for-relying-party③⑤⑤">Relying Party</a>: unscathed ceremonies will fail, potentially revealing the attack.</p> - <p><a data-link-type="dfn" href="#attestation-type" id="ref-for-attestation-type②⑤">Attestation types</a> other than <a data-link-type="dfn" href="#self-attestation" id="ref-for-self-attestation①⑨">Self Attestation</a> and <a data-link-type="dfn" href="#none" id="ref-for-none⑧">None</a> can increase the difficulty of such attacks, since <a data-link-type="dfn" href="#relying-party" id="ref-for-relying-party③⑤⑤">Relying Parties</a> can possibly display <a data-link-type="dfn" href="#authenticator" id="ref-for-authenticator②⑨④">authenticator</a> information, e.g., model designation, to the user. An attacker might therefore need to use -a genuine <a data-link-type="dfn" href="#authenticator" id="ref-for-authenticator②⑨⑤">authenticator</a> of the same model as the user’s <a data-link-type="dfn" href="#authenticator" id="ref-for-authenticator②⑨⑥">authenticator</a>, or the user might notice that the <a data-link-type="dfn" href="#relying-party" id="ref-for-relying-party③⑤⑥">Relying Party</a> reports + <p><a data-link-type="dfn" href="#attestation-type" id="ref-for-attestation-type②⑤">Attestation types</a> other than <a data-link-type="dfn" href="#self-attestation" id="ref-for-self-attestation①⑨">Self Attestation</a> and <a data-link-type="dfn" href="#none" id="ref-for-none⑧">None</a> can increase the difficulty of such attacks, since <a data-link-type="dfn" href="#relying-party" id="ref-for-relying-party③⑤⑥">Relying Parties</a> can possibly display <a data-link-type="dfn" href="#authenticator" id="ref-for-authenticator②⑨④">authenticator</a> information, e.g., model designation, to the user. An attacker might therefore need to use +a genuine <a data-link-type="dfn" href="#authenticator" id="ref-for-authenticator②⑨⑤">authenticator</a> of the same model as the user’s <a data-link-type="dfn" href="#authenticator" id="ref-for-authenticator②⑨⑥">authenticator</a>, or the user might notice that the <a data-link-type="dfn" href="#relying-party" id="ref-for-relying-party③⑤⑦">Relying Party</a> reports a different <a data-link-type="dfn" href="#authenticator" id="ref-for-authenticator②⑨⑦">authenticator</a> model than the user expects.</p> <p class="note" role="note"><span class="marker">Note:</span> All variants of <a data-link-type="dfn" href="https://tools.ietf.org/html/rfc4949#page-186" id="ref-for-page-186⑤">man-in-the-middle attacks</a> described above are more difficult for an attacker to mount than a <a data-link-type="dfn" href="https://tools.ietf.org/html/rfc4949#page-186" id="ref-for-page-186⑥">man-in-the-middle attack</a> against conventional password authentication.</p> <h4 class="heading settled" data-level="13.4.5" id="sctn-revoked-attestation-certificates"><span class="secno">13.4.5. </span><span class="content">Revoked Attestation Certificates</span><a class="self-link" href="#sctn-revoked-attestation-certificates"></a></h4> - <p>If <a data-link-type="dfn" href="#attestation-certificate" id="ref-for-attestation-certificate①②">attestation certificate</a> validation fails due to a revoked intermediate attestation CA certificate, and the <a data-link-type="dfn" href="#relying-party" id="ref-for-relying-party③⑤⑦">Relying Party</a>'s policy -requires rejecting the registration/authentication request in these situations, then it is RECOMMENDED that the <a data-link-type="dfn" href="#relying-party" id="ref-for-relying-party③⑤⑧">Relying Party</a> also + <p>If <a data-link-type="dfn" href="#attestation-certificate" id="ref-for-attestation-certificate①②">attestation certificate</a> validation fails due to a revoked intermediate attestation CA certificate, and the <a data-link-type="dfn" href="#relying-party" id="ref-for-relying-party③⑤⑧">Relying Party</a>'s policy +requires rejecting the registration/authentication request in these situations, then it is RECOMMENDED that the <a data-link-type="dfn" href="#relying-party" id="ref-for-relying-party③⑤⑨">Relying Party</a> also un-registers (or marks with a trust level equivalent to "<a data-link-type="dfn" href="#self-attestation" id="ref-for-self-attestation②⓪">self attestation</a>") <a data-link-type="dfn" href="#public-key-credential" id="ref-for-public-key-credential⑥②">public key credentials</a> that were registered after the CA compromise date using an <a data-link-type="dfn" href="#attestation-certificate" id="ref-for-attestation-certificate①③">attestation certificate</a> chaining up to the same intermediate CA. It is thus RECOMMENDED -that <a data-link-type="dfn" href="#relying-party" id="ref-for-relying-party③⑤⑨">Relying Parties</a> remember intermediate attestation CA certificates during <a data-link-type="dfn" href="#registration" id="ref-for-registration②③">registration</a> in order to un-register +that <a data-link-type="dfn" href="#relying-party" id="ref-for-relying-party③⑥⓪">Relying Parties</a> remember intermediate attestation CA certificates during <a data-link-type="dfn" href="#registration" id="ref-for-registration②③">registration</a> in order to un-register related <a data-link-type="dfn" href="#public-key-credential" id="ref-for-public-key-credential⑥③">public key credentials</a> if the <a data-link-type="dfn" href="#registration" id="ref-for-registration②④">registration</a> was performed after revocation of such certificates.</p> <p>See also the related security consideration for <a data-link-type="dfn" href="#authenticator" id="ref-for-authenticator②⑨⑧">authenticators</a> in <a href="#sctn-ca-compromise">§ 13.3.2 Attestation Certificate and Attestation Certificate CA Compromise</a>.</p> <h4 class="heading settled" data-level="13.4.6" id="sctn-credential-loss-key-mobility"><span class="secno">13.4.6. </span><span class="content">Credential Loss and Key Mobility</span><a class="self-link" href="#sctn-credential-loss-key-mobility"></a></h4> <p>This specification defines no protocol for backing up <a data-link-type="dfn" href="#credential-private-key" id="ref-for-credential-private-key①⑨">credential private keys</a>, or for sharing them between <a data-link-type="dfn" href="#authenticator" id="ref-for-authenticator②⑨⑨">authenticators</a>. In general, it is expected that a <a data-link-type="dfn" href="#credential-private-key" id="ref-for-credential-private-key②⓪">credential private key</a> never leaves the <a data-link-type="dfn" href="#authenticator" id="ref-for-authenticator③⓪⓪">authenticator</a> that created it. Losing an <a data-link-type="dfn" href="#authenticator" id="ref-for-authenticator③⓪①">authenticator</a> therefore, in general, means losing all <a data-link-type="dfn" href="#public-key-credential" id="ref-for-public-key-credential⑥④">credentials</a> <a data-link-type="dfn" href="#bound-credential" id="ref-for-bound-credential①⑤">bound</a> to the -lost <a data-link-type="dfn" href="#authenticator" id="ref-for-authenticator③⓪②">authenticator</a>, which could lock the user out of an account if the user has only one <a data-link-type="dfn" href="#public-key-credential" id="ref-for-public-key-credential⑥⑤">credential</a> registered with the <a data-link-type="dfn" href="#relying-party" id="ref-for-relying-party③⑥⓪">Relying Party</a>. Instead of backing up or sharing private keys, the Web Authentication API allows registering +lost <a data-link-type="dfn" href="#authenticator" id="ref-for-authenticator③⓪②">authenticator</a>, which could lock the user out of an account if the user has only one <a data-link-type="dfn" href="#public-key-credential" id="ref-for-public-key-credential⑥⑤">credential</a> registered with the <a data-link-type="dfn" href="#relying-party" id="ref-for-relying-party③⑥①">Relying Party</a>. Instead of backing up or sharing private keys, the Web Authentication API allows registering multiple <a data-link-type="dfn" href="#public-key-credential" id="ref-for-public-key-credential⑥⑥">credentials</a> for the same user. For example, a user might register <a data-link-type="dfn" href="#platform-credential" id="ref-for-platform-credential②">platform credentials</a> on frequently used <a data-link-type="dfn" href="#client-device" id="ref-for-client-device④⑤">client devices</a>, and one or more <a data-link-type="dfn" href="#roaming-credential" id="ref-for-roaming-credential①">roaming credentials</a> for use as backup and with new or rarely used <a data-link-type="dfn" href="#client-device" id="ref-for-client-device④⑥">client devices</a>.</p> - <p><a data-link-type="dfn" href="#relying-party" id="ref-for-relying-party③⑥①">Relying Parties</a> SHOULD allow and encourage users to register multiple <a data-link-type="dfn" href="#public-key-credential" id="ref-for-public-key-credential⑥⑦">credentials</a> to the same <a data-link-type="dfn" href="#user-account" id="ref-for-user-account③⑥">user account</a>. <a data-link-type="dfn" href="#relying-party" id="ref-for-relying-party③⑥②">Relying Parties</a> SHOULD make use of the <code><code class="idl"><a data-link-type="idl" href="#dom-publickeycredentialcreationoptions-excludecredentials" id="ref-for-dom-publickeycredentialcreationoptions-excludecredentials③">excludeCredentials</a></code></code> and <code><code class="idl"><a data-link-type="idl" href="#dom-publickeycredentialcreationoptions-user" id="ref-for-dom-publickeycredentialcreationoptions-user⑧">user</a></code>.<code class="idl"><a data-link-type="idl" href="#dom-publickeycredentialuserentity-id" id="ref-for-dom-publickeycredentialuserentity-id①⓪">id</a></code></code> options to ensure that these + <p><a data-link-type="dfn" href="#relying-party" id="ref-for-relying-party③⑥②">Relying Parties</a> SHOULD allow and encourage users to register multiple <a data-link-type="dfn" href="#public-key-credential" id="ref-for-public-key-credential⑥⑦">credentials</a> to the same <a data-link-type="dfn" href="#user-account" id="ref-for-user-account③⑥">user account</a>. <a data-link-type="dfn" href="#relying-party" id="ref-for-relying-party③⑥③">Relying Parties</a> SHOULD make use of the <code><code class="idl"><a data-link-type="idl" href="#dom-publickeycredentialcreationoptions-excludecredentials" id="ref-for-dom-publickeycredentialcreationoptions-excludecredentials③">excludeCredentials</a></code></code> and <code><code class="idl"><a data-link-type="idl" href="#dom-publickeycredentialcreationoptions-user" id="ref-for-dom-publickeycredentialcreationoptions-user⑧">user</a></code>.<code class="idl"><a data-link-type="idl" href="#dom-publickeycredentialuserentity-id" id="ref-for-dom-publickeycredentialuserentity-id①⓪">id</a></code></code> options to ensure that these different <a data-link-type="dfn" href="#public-key-credential" id="ref-for-public-key-credential⑥⑧">credentials</a> are <a data-link-type="dfn" href="#bound-credential" id="ref-for-bound-credential①⑥">bound</a> to different <a data-link-type="dfn" href="#authenticator" id="ref-for-authenticator③⓪③">authenticators</a>.</p> <h4 class="heading settled" data-level="13.4.7" id="sctn-unprotected-account-detection"><span class="secno">13.4.7. </span><span class="content">Unprotected account detection</span><a class="self-link" href="#sctn-unprotected-account-detection"></a></h4> <p><em>This section is not normative.</em></p> - <p>This security consideration applies to <a data-link-type="dfn" href="#relying-party" id="ref-for-relying-party③⑥③">Relying Parties</a> that support <a data-link-type="dfn" href="#authentication-ceremony" id="ref-for-authentication-ceremony④③">authentication ceremonies</a> with a non-<a data-link-type="dfn" href="https://infra.spec.whatwg.org/#list-empty" id="ref-for-list-empty⑦">empty</a> <code class="idl"><a data-link-type="idl" href="#dom-publickeycredentialrequestoptions-allowcredentials" id="ref-for-dom-publickeycredentialrequestoptions-allowcredentials②⑧">allowCredentials</a></code> argument as the first authentication step. + <p>This security consideration applies to <a data-link-type="dfn" href="#relying-party" id="ref-for-relying-party③⑥④">Relying Parties</a> that support <a data-link-type="dfn" href="#authentication-ceremony" id="ref-for-authentication-ceremony④③">authentication ceremonies</a> with a non-<a data-link-type="dfn" href="https://infra.spec.whatwg.org/#list-empty" id="ref-for-list-empty⑦">empty</a> <code class="idl"><a data-link-type="idl" href="#dom-publickeycredentialrequestoptions-allowcredentials" id="ref-for-dom-publickeycredentialrequestoptions-allowcredentials②⑧">allowCredentials</a></code> argument as the first authentication step. For example, if using authentication with <a data-link-type="dfn" href="#server-side-credential" id="ref-for-server-side-credential①⑤">server-side credentials</a> as the first authentication step.</p> <p>In this case the <code class="idl"><a data-link-type="idl" href="#dom-publickeycredentialrequestoptions-allowcredentials" id="ref-for-dom-publickeycredentialrequestoptions-allowcredentials②⑨">allowCredentials</a></code> argument risks leaking information about which <a data-link-type="dfn" href="#user-account" id="ref-for-user-account③⑦">user accounts</a> have WebAuthn credentials registered and which do not, which may be a signal of account protection strength. For example, say an attacker can initiate an <a data-link-type="dfn" href="#authentication-ceremony" id="ref-for-authentication-ceremony④④">authentication ceremony</a> by providing only a username, -and the <a data-link-type="dfn" href="#relying-party" id="ref-for-relying-party③⑥④">Relying Party</a> responds with a non-empty <code class="idl"><a data-link-type="idl" href="#dom-publickeycredentialrequestoptions-allowcredentials" id="ref-for-dom-publickeycredentialrequestoptions-allowcredentials③⓪">allowCredentials</a></code> for some <a data-link-type="dfn" href="#user-account" id="ref-for-user-account③⑧">user accounts</a>, +and the <a data-link-type="dfn" href="#relying-party" id="ref-for-relying-party③⑥⑤">Relying Party</a> responds with a non-empty <code class="idl"><a data-link-type="idl" href="#dom-publickeycredentialrequestoptions-allowcredentials" id="ref-for-dom-publickeycredentialrequestoptions-allowcredentials③⓪">allowCredentials</a></code> for some <a data-link-type="dfn" href="#user-account" id="ref-for-user-account③⑧">user accounts</a>, and with failure or a password challenge for other <a data-link-type="dfn" href="#user-account" id="ref-for-user-account③⑨">user accounts</a>. The attacker can then conclude that the latter <a data-link-type="dfn" href="#user-account" id="ref-for-user-account④⓪">user accounts</a> likely do not require a WebAuthn <a data-link-type="dfn" href="#assertion" id="ref-for-assertion①①">assertion</a> for successful authentication, and thus focus an attack on those likely weaker accounts.</p> <p>This issue is similar to the one described in <a href="#sctn-username-enumeration">§ 14.6.2 Username Enumeration</a> and <a href="#sctn-credential-id-privacy-leak">§ 14.6.3 Privacy leak via credential IDs</a>, and can be mitigated in similar ways.</p> <h4 class="heading settled" data-level="13.4.8" id="sctn-code-injection"><span class="secno">13.4.8. </span><span class="content">Code injection attacks</span><a class="self-link" href="#sctn-code-injection"></a></h4> - <p>Any malicious code executing on an <a data-link-type="dfn" href="#determines-the-set-of-origins-on-which-the-public-key-credential-may-be-exercised" id="ref-for-determines-the-set-of-origins-on-which-the-public-key-credential-may-be-exercised⑦">origin</a> within the <a data-link-type="dfn" href="#scope" id="ref-for-scope②④">scope</a> of a <a data-link-type="dfn" href="#relying-party" id="ref-for-relying-party③⑥⑤">Relying Party</a>'s <a data-link-type="dfn" href="#public-key-credential" id="ref-for-public-key-credential⑥⑨">public key credentials</a> has the potential to invalidate any and all security guarantees WebAuthn may provide. <a data-link-type="dfn" href="#webauthn-client" id="ref-for-webauthn-client②②">WebAuthn Clients</a> only expose the WebAuthn API in <a data-link-type="dfn" href="https://html.spec.whatwg.org/multipage/webappapis.html#secure-context" id="ref-for-secure-context①">secure contexts</a>, -which mitigates the most basic attacks but SHOULD be combined with additional precautions by <a data-link-type="dfn" href="#relying-party" id="ref-for-relying-party③⑥⑥">Relying Parties</a>.</p> + <p>Any malicious code executing on an <a data-link-type="dfn" href="#determines-the-set-of-origins-on-which-the-public-key-credential-may-be-exercised" id="ref-for-determines-the-set-of-origins-on-which-the-public-key-credential-may-be-exercised⑦">origin</a> within the <a data-link-type="dfn" href="#scope" id="ref-for-scope②④">scope</a> of a <a data-link-type="dfn" href="#relying-party" id="ref-for-relying-party③⑥⑥">Relying Party</a>'s <a data-link-type="dfn" href="#public-key-credential" id="ref-for-public-key-credential⑥⑨">public key credentials</a> has the potential to invalidate any and all security guarantees WebAuthn may provide. <a data-link-type="dfn" href="#webauthn-client" id="ref-for-webauthn-client②②">WebAuthn Clients</a> only expose the WebAuthn API in <a data-link-type="dfn" href="https://html.spec.whatwg.org/multipage/webappapis.html#secure-context" id="ref-for-secure-context①">secure contexts</a>, +which mitigates the most basic attacks but SHOULD be combined with additional precautions by <a data-link-type="dfn" href="#relying-party" id="ref-for-relying-party③⑥⑦">Relying Parties</a>.</p> <p>Code injection can happen in several ways; this section attempts to point out some likely scenarios and suggest suitable mitigations, but is not an exhaustive list.</p> <ul> <li data-md> - <p>Malicous code could be injected by a third-party script included by the <a data-link-type="dfn" href="#relying-party" id="ref-for-relying-party③⑥⑦">Relying Party</a>, + <p>Malicous code could be injected by a third-party script included by the <a data-link-type="dfn" href="#relying-party" id="ref-for-relying-party③⑥⑧">Relying Party</a>, either intentionally or due to a security vulnerability in the third party.</p> - <p>The <a data-link-type="dfn" href="#relying-party" id="ref-for-relying-party③⑥⑧">Relying Party</a> therefore SHOULD limit the amount of third-party script included on the <a data-link-type="dfn" href="#determines-the-set-of-origins-on-which-the-public-key-credential-may-be-exercised" id="ref-for-determines-the-set-of-origins-on-which-the-public-key-credential-may-be-exercised⑧">origins</a> within the <a data-link-type="dfn" href="#scope" id="ref-for-scope②⑤">scope</a> of its <a data-link-type="dfn" href="https://w3c.github.io/webappsec-credential-management/#concept-credential" id="ref-for-concept-credential②⑧">credentials</a>.</p> - <p>The <a data-link-type="dfn" href="#relying-party" id="ref-for-relying-party③⑥⑨">Relying Party</a> SHOULD use Content Security Policy <a data-link-type="biblio" href="#biblio-csp2" title="Content Security Policy Level 2">[CSP2]</a>, + <p>The <a data-link-type="dfn" href="#relying-party" id="ref-for-relying-party③⑥⑨">Relying Party</a> therefore SHOULD limit the amount of third-party script included on the <a data-link-type="dfn" href="#determines-the-set-of-origins-on-which-the-public-key-credential-may-be-exercised" id="ref-for-determines-the-set-of-origins-on-which-the-public-key-credential-may-be-exercised⑧">origins</a> within the <a data-link-type="dfn" href="#scope" id="ref-for-scope②⑤">scope</a> of its <a data-link-type="dfn" href="https://w3c.github.io/webappsec-credential-management/#concept-credential" id="ref-for-concept-credential②⑧">credentials</a>.</p> + <p>The <a data-link-type="dfn" href="#relying-party" id="ref-for-relying-party③⑦⓪">Relying Party</a> SHOULD use Content Security Policy <a data-link-type="biblio" href="#biblio-csp2" title="Content Security Policy Level 2">[CSP2]</a>, and/or other appropriate technologies available at the time, to limit what script can run on its <a data-link-type="dfn" href="#determines-the-set-of-origins-on-which-the-public-key-credential-may-be-exercised" id="ref-for-determines-the-set-of-origins-on-which-the-public-key-credential-may-be-exercised⑨">origins</a>.</p> <li data-md> - <p>Malicious code could, by the credential <a data-link-type="dfn" href="#scope" id="ref-for-scope②⑥">scope</a> rules, be hosted on a subdomain of the <a data-link-type="dfn" href="#rp-id" id="ref-for-rp-id⑤③">RP ID</a>. -For example, user-submitted code hosted on <code>usercontent.example.org</code> could exercise any <a data-link-type="dfn" href="https://w3c.github.io/webappsec-credential-management/#concept-credential" id="ref-for-concept-credential②⑨">credentials</a> <a data-link-type="dfn" href="#scope" id="ref-for-scope②⑦">scoped</a> to the <a data-link-type="dfn" href="#rp-id" id="ref-for-rp-id⑤④">RP ID</a> <code>example.org</code>. -If the <a data-link-type="dfn" href="#relying-party" id="ref-for-relying-party③⑦⓪">Relying Party</a> allows a subdomain <code class="idl"><a data-link-type="idl" href="#dom-collectedclientdata-origin" id="ref-for-dom-collectedclientdata-origin⑨">origin</a></code> when <a href="#rp-op-verifying-assertion-step-origin">verifying the assertion</a>, + <p>Malicious code could, by the credential <a data-link-type="dfn" href="#scope" id="ref-for-scope②⑥">scope</a> rules, be hosted on a subdomain of the <a data-link-type="dfn" href="#rp-id" id="ref-for-rp-id⑤⑤">RP ID</a>. +For example, user-submitted code hosted on <code>usercontent.example.org</code> could exercise any <a data-link-type="dfn" href="https://w3c.github.io/webappsec-credential-management/#concept-credential" id="ref-for-concept-credential②⑨">credentials</a> <a data-link-type="dfn" href="#scope" id="ref-for-scope②⑦">scoped</a> to the <a data-link-type="dfn" href="#rp-id" id="ref-for-rp-id⑤⑥">RP ID</a> <code>example.org</code>. +If the <a data-link-type="dfn" href="#relying-party" id="ref-for-relying-party③⑦①">Relying Party</a> allows a subdomain <code class="idl"><a data-link-type="idl" href="#dom-collectedclientdata-origin" id="ref-for-dom-collectedclientdata-origin⑨">origin</a></code> when <a href="#rp-op-verifying-assertion-step-origin">verifying the assertion</a>, malicious users could use this to launch a <a data-link-type="dfn" href="https://tools.ietf.org/html/rfc4949#page-186" id="ref-for-page-186⑦">man-in-the-middle attack</a> to obtain valid <a data-link-type="dfn" href="#authentication-assertion" id="ref-for-authentication-assertion①⑧">authentication assertions</a> and impersonate the victims of the attack.</p> - <p>Therefore, the <a data-link-type="dfn" href="#relying-party" id="ref-for-relying-party③⑦①">Relying Party</a> by default SHOULD NOT allow a subdomain <code class="idl"><a data-link-type="idl" href="#dom-collectedclientdata-origin" id="ref-for-dom-collectedclientdata-origin①⓪">origin</a></code> when <a href="#rp-op-verifying-assertion-step-origin">verifying the assertion</a>. -If the <a data-link-type="dfn" href="#relying-party" id="ref-for-relying-party③⑦②">Relying Party</a> needs to allow a subdomain <code class="idl"><a data-link-type="idl" href="#dom-collectedclientdata-origin" id="ref-for-dom-collectedclientdata-origin①①">origin</a></code>, -then the <a data-link-type="dfn" href="#relying-party" id="ref-for-relying-party③⑦③">Relying Party</a> MUST NOT serve untrusted code on any allowed subdomain of <a data-link-type="dfn" href="#determines-the-set-of-origins-on-which-the-public-key-credential-may-be-exercised" id="ref-for-determines-the-set-of-origins-on-which-the-public-key-credential-may-be-exercised①⓪">origins</a> within the <a data-link-type="dfn" href="#scope" id="ref-for-scope②⑧">scope</a> of its <a data-link-type="dfn" href="#public-key-credential" id="ref-for-public-key-credential⑦⓪">public key credentials</a>.</p> + <p>Therefore, the <a data-link-type="dfn" href="#relying-party" id="ref-for-relying-party③⑦②">Relying Party</a> by default SHOULD NOT allow a subdomain <code class="idl"><a data-link-type="idl" href="#dom-collectedclientdata-origin" id="ref-for-dom-collectedclientdata-origin①⓪">origin</a></code> when <a href="#rp-op-verifying-assertion-step-origin">verifying the assertion</a>. +If the <a data-link-type="dfn" href="#relying-party" id="ref-for-relying-party③⑦③">Relying Party</a> needs to allow a subdomain <code class="idl"><a data-link-type="idl" href="#dom-collectedclientdata-origin" id="ref-for-dom-collectedclientdata-origin①①">origin</a></code>, +then the <a data-link-type="dfn" href="#relying-party" id="ref-for-relying-party③⑦④">Relying Party</a> MUST NOT serve untrusted code on any allowed subdomain of <a data-link-type="dfn" href="#determines-the-set-of-origins-on-which-the-public-key-credential-may-be-exercised" id="ref-for-determines-the-set-of-origins-on-which-the-public-key-credential-may-be-exercised①⓪">origins</a> within the <a data-link-type="dfn" href="#scope" id="ref-for-scope②⑧">scope</a> of its <a data-link-type="dfn" href="#public-key-credential" id="ref-for-public-key-credential⑦⓪">public key credentials</a>.</p> </ul> <h4 class="heading settled" data-level="13.4.9" id="sctn-validating-origin"><span class="secno">13.4.9. </span><span class="content">Validating the origin of a credential</span><a class="self-link" href="#sctn-validating-origin"></a></h4> <p>When <a href="#rp-op-registering-a-new-credential-step-origin">registering a credential</a> and when <a href="#rp-op-verifying-assertion-step-origin">verifying an assertion</a>, -the <a data-link-type="dfn" href="#relying-party" id="ref-for-relying-party③⑦④">Relying Party</a> MUST validate the <code class="idl"><a data-link-type="idl" href="#dom-collectedclientdata-origin" id="ref-for-dom-collectedclientdata-origin①②">origin</a></code> member of the <a data-link-type="dfn" href="#client-data" id="ref-for-client-data①④">client data</a>.</p> - <p>The <a data-link-type="dfn" href="#relying-party" id="ref-for-relying-party③⑦⑤">Relying Party</a> MUST NOT accept unexpected values of <code class="idl"><a data-link-type="idl" href="#dom-collectedclientdata-origin" id="ref-for-dom-collectedclientdata-origin①③">origin</a></code>, +the <a data-link-type="dfn" href="#relying-party" id="ref-for-relying-party③⑦⑤">Relying Party</a> MUST validate the <code class="idl"><a data-link-type="idl" href="#dom-collectedclientdata-origin" id="ref-for-dom-collectedclientdata-origin①②">origin</a></code> member of the <a data-link-type="dfn" href="#client-data" id="ref-for-client-data①④">client data</a>.</p> + <p>The <a data-link-type="dfn" href="#relying-party" id="ref-for-relying-party③⑦⑥">Relying Party</a> MUST NOT accept unexpected values of <code class="idl"><a data-link-type="idl" href="#dom-collectedclientdata-origin" id="ref-for-dom-collectedclientdata-origin①③">origin</a></code>, as doing so could allow a malicious website to obtain valid <a data-link-type="dfn" href="https://w3c.github.io/webappsec-credential-management/#concept-credential" id="ref-for-concept-credential③⓪">credentials</a>. Although the <a data-link-type="dfn" href="#scope" id="ref-for-scope②⑨">scope</a> of WebAuthn credentials prevents their use on domains -outside the <a data-link-type="dfn" href="#rp-id" id="ref-for-rp-id⑤⑤">RP ID</a> they were registered for, -the <a data-link-type="dfn" href="#relying-party" id="ref-for-relying-party③⑦⑥">Relying Party</a>'s origin validation serves as an additional layer of protection +outside the <a data-link-type="dfn" href="#rp-id" id="ref-for-rp-id⑤⑦">RP ID</a> they were registered for, +the <a data-link-type="dfn" href="#relying-party" id="ref-for-relying-party③⑦⑦">Relying Party</a>'s origin validation serves as an additional layer of protection in case a faulty <a data-link-type="dfn" href="#authenticator" id="ref-for-authenticator③⓪④">authenticator</a> fails to enforce credential <a data-link-type="dfn" href="#scope" id="ref-for-scope③⓪">scope</a>. See also <a href="#sctn-code-injection">§ 13.4.8 Code injection attacks</a> for discussion of potentially malicious subdomains.</p> - <p>Validation MAY be performed by exact string matching or any other method as needed by the <a data-link-type="dfn" href="#relying-party" id="ref-for-relying-party③⑦⑦">Relying Party</a>. + <p>Validation MAY be performed by exact string matching or any other method as needed by the <a data-link-type="dfn" href="#relying-party" id="ref-for-relying-party③⑦⑧">Relying Party</a>. For example:</p> <ul> <li data-md> <p>A web application served only at <code>https://example.org</code> SHOULD require <code class="idl"><a data-link-type="idl" href="#dom-collectedclientdata-origin" id="ref-for-dom-collectedclientdata-origin①④">origin</a></code> to exactly equal <code>https://example.org</code>.</p> <p>This is the simplest case, where <code class="idl"><a data-link-type="idl" href="#dom-collectedclientdata-origin" id="ref-for-dom-collectedclientdata-origin①⑤">origin</a></code> is expected -to be the string <code>https://</code> followed by the <a data-link-type="dfn" href="#rp-id" id="ref-for-rp-id⑤⑥">RP ID</a>.</p> +to be the string <code>https://</code> followed by the <a data-link-type="dfn" href="#rp-id" id="ref-for-rp-id⑤⑧">RP ID</a>.</p> <li data-md> <p>A web application served at a small number of domains might require <code class="idl"><a data-link-type="idl" href="#dom-collectedclientdata-origin" id="ref-for-dom-collectedclientdata-origin①⑥">origin</a></code> to exactly equal some element of a list of allowed origins, for example the list <code>["https://example.org", "https://login.example.org"]</code>.</p> <li data-md> <p>A web application leveraging <a href="#sctn-related-origins">related origin requests</a> might also require <code class="idl"><a data-link-type="idl" href="#dom-collectedclientdata-origin" id="ref-for-dom-collectedclientdata-origin①⑦">origin</a></code> to exactly equal some element of a list of allowed origins, for example the list <code>["https://example.co.uk", "https://example.de", "https://myexamplerewards.com"]</code>. -This list will typically match the origins listed in the well-known URI for the <a data-link-type="dfn" href="#rp-id" id="ref-for-rp-id⑤⑦">RP ID</a>. See <a href="#sctn-related-origins">§ 5.11 Using Web Authentication across related origins</a>.</p> +This list will typically match the origins listed in the well-known URI for the <a data-link-type="dfn" href="#rp-id" id="ref-for-rp-id⑤⑨">RP ID</a>. See <a href="#sctn-related-origins">§ 5.11 Using Web Authentication across related origins</a>.</p> <li data-md> - <p>A web application served at a large set of domains that changes often might parse <code class="idl"><a data-link-type="idl" href="#dom-collectedclientdata-origin" id="ref-for-dom-collectedclientdata-origin①⑧">origin</a></code> structurally and require that the URL scheme is <code>https</code> and that the authority equals or is any subdomain of the <a data-link-type="dfn" href="#rp-id" id="ref-for-rp-id⑤⑧">RP ID</a> - for example, <code>example.org</code> or any subdomain of <code>example.org</code>).</p> - <p class="note" role="note"><span class="marker">Note:</span> See <a href="#sctn-code-injection">§ 13.4.8 Code injection attacks</a> for a discussion of the risks of allowing any subdomain of the <a data-link-type="dfn" href="#rp-id" id="ref-for-rp-id⑤⑨">RP ID</a>.</p> + <p>A web application served at a large set of domains that changes often might parse <code class="idl"><a data-link-type="idl" href="#dom-collectedclientdata-origin" id="ref-for-dom-collectedclientdata-origin①⑧">origin</a></code> structurally and require that the URL scheme is <code>https</code> and that the authority equals or is any subdomain of the <a data-link-type="dfn" href="#rp-id" id="ref-for-rp-id⑥⓪">RP ID</a> - for example, <code>example.org</code> or any subdomain of <code>example.org</code>).</p> + <p class="note" role="note"><span class="marker">Note:</span> See <a href="#sctn-code-injection">§ 13.4.8 Code injection attacks</a> for a discussion of the risks of allowing any subdomain of the <a data-link-type="dfn" href="#rp-id" id="ref-for-rp-id⑥①">RP ID</a>.</p> <li data-md> <p>A web application with a companion native application might allow <code class="idl"><a data-link-type="idl" href="#dom-collectedclientdata-origin" id="ref-for-dom-collectedclientdata-origin①⑨">origin</a></code> to be an operating system dependent -identifier for the native application. For example, such a <a data-link-type="dfn" href="#relying-party" id="ref-for-relying-party③⑦⑧">Relying Party</a> might require that <code class="idl"><a data-link-type="idl" href="#dom-collectedclientdata-origin" id="ref-for-dom-collectedclientdata-origin②⓪">origin</a></code> exactly equals some element of the list <code>["https://example.org", "example-os:appid:204ffa1a5af110ac483f131a1bef8a841a7adb0d8d135908bbd964ed05d2653b"]</code>.</p> +identifier for the native application. For example, such a <a data-link-type="dfn" href="#relying-party" id="ref-for-relying-party③⑦⑨">Relying Party</a> might require that <code class="idl"><a data-link-type="idl" href="#dom-collectedclientdata-origin" id="ref-for-dom-collectedclientdata-origin②⓪">origin</a></code> exactly equals some element of the list <code>["https://example.org", "example-os:appid:204ffa1a5af110ac483f131a1bef8a841a7adb0d8d135908bbd964ed05d2653b"]</code>.</p> </ul> <p>Similar considerations apply when validating the <code class="idl"><a data-link-type="idl" href="#dom-collectedclientdata-toporigin" id="ref-for-dom-collectedclientdata-toporigin①③">topOrigin</a></code> member of the <a data-link-type="dfn" href="#client-data" id="ref-for-client-data①⑤">client data</a>. -When <code class="idl"><a data-link-type="idl" href="#dom-collectedclientdata-toporigin" id="ref-for-dom-collectedclientdata-toporigin①④">topOrigin</a></code> is present, the <a data-link-type="dfn" href="#relying-party" id="ref-for-relying-party③⑦⑨">Relying Party</a> MUST validate that its value is expected. -This validation MAY be performed by exact string matching or any other method as needed by the <a data-link-type="dfn" href="#relying-party" id="ref-for-relying-party③⑧⓪">Relying Party</a>. +When <code class="idl"><a data-link-type="idl" href="#dom-collectedclientdata-toporigin" id="ref-for-dom-collectedclientdata-toporigin①④">topOrigin</a></code> is present, the <a data-link-type="dfn" href="#relying-party" id="ref-for-relying-party③⑧⓪">Relying Party</a> MUST validate that its value is expected. +This validation MAY be performed by exact string matching or any other method as needed by the <a data-link-type="dfn" href="#relying-party" id="ref-for-relying-party③⑧①">Relying Party</a>. For example:</p> <ul> <li data-md> @@ -8803,7 +8806,7 @@ <h2 class="heading settled" data-level="14" id="sctn-privacy-considerations"><sp <p>The privacy principles in <a data-link-type="biblio" href="#biblio-fido-privacy-principles" title="FIDO Privacy Principles">[FIDO-Privacy-Principles]</a> also apply to this specification.</p> <p>This section is divided by audience; general privacy considerations are direct subsections of this section, -while privacy considerations specifically for <a data-link-type="dfn" href="#authenticator" id="ref-for-authenticator③⓪⑤">authenticator</a>, <a data-link-type="dfn" href="#client" id="ref-for-client①①⑦">client</a> and <a data-link-type="dfn" href="#relying-party" id="ref-for-relying-party③⑧①">Relying Party</a> implementers +while privacy considerations specifically for <a data-link-type="dfn" href="#authenticator" id="ref-for-authenticator③⓪⑤">authenticator</a>, <a data-link-type="dfn" href="#client" id="ref-for-client①①⑧">client</a> and <a data-link-type="dfn" href="#relying-party" id="ref-for-relying-party③⑧②">Relying Party</a> implementers are grouped into respective subsections.</p> <h3 class="heading settled" data-level="14.1" id="sctn-privacy-attacks"><span class="secno">14.1. </span><span class="content">De-anonymization Prevention Measures</span><a class="self-link" href="#sctn-privacy-attacks"></a></h3> <p><em>This section is not normative.</em></p> @@ -8815,55 +8818,55 @@ <h3 class="heading settled" data-level="14.1" id="sctn-privacy-attacks"><span cl <li data-md> <p>The user’s <a data-link-type="dfn" href="#credential-id" id="ref-for-credential-id⑤⓪">credential IDs</a> and <a data-link-type="dfn" href="#credential-public-key" id="ref-for-credential-public-key③⑧">credential public keys</a>.</p> <p>These are registered by the <a data-link-type="dfn" href="#webauthn-relying-party" id="ref-for-webauthn-relying-party⑥⑨">WebAuthn Relying Party</a> and subsequently used by the user to prove possession of the corresponding <a data-link-type="dfn" href="#credential-private-key" id="ref-for-credential-private-key②①">credential -private key</a>. They are also visible to the <a data-link-type="dfn" href="#client" id="ref-for-client①①⑧">client</a> in the communication with the <a data-link-type="dfn" href="#authenticator" id="ref-for-authenticator③⓪⑥">authenticator</a>.</p> +private key</a>. They are also visible to the <a data-link-type="dfn" href="#client" id="ref-for-client①①⑨">client</a> in the communication with the <a data-link-type="dfn" href="#authenticator" id="ref-for-authenticator③⓪⑥">authenticator</a>.</p> <li data-md> - <p>The user’s identities specific to each <a data-link-type="dfn" href="#relying-party" id="ref-for-relying-party③⑧②">Relying Party</a>, e.g., usernames and <a data-link-type="dfn" href="#user-handle" id="ref-for-user-handle②⑤">user handles</a>.</p> - <p>These identities are obviously used by each <a data-link-type="dfn" href="#relying-party" id="ref-for-relying-party③⑧③">Relying Party</a> to identify a user in their system. They are also visible to the <a data-link-type="dfn" href="#client" id="ref-for-client①①⑨">client</a> in the communication with the <a data-link-type="dfn" href="#authenticator" id="ref-for-authenticator③⓪⑦">authenticator</a>.</p> + <p>The user’s identities specific to each <a data-link-type="dfn" href="#relying-party" id="ref-for-relying-party③⑧③">Relying Party</a>, e.g., usernames and <a data-link-type="dfn" href="#user-handle" id="ref-for-user-handle②⑤">user handles</a>.</p> + <p>These identities are obviously used by each <a data-link-type="dfn" href="#relying-party" id="ref-for-relying-party③⑧④">Relying Party</a> to identify a user in their system. They are also visible to the <a data-link-type="dfn" href="#client" id="ref-for-client①②⓪">client</a> in the communication with the <a data-link-type="dfn" href="#authenticator" id="ref-for-authenticator③⓪⑦">authenticator</a>.</p> <li data-md> <p>The user’s biometric characteristic(s), e.g., fingerprints or facial recognition data <a data-link-type="biblio" href="#biblio-isobiometricvocabulary" title="Information technology — Vocabulary — Biometrics">[ISOBiometricVocabulary]</a>.</p> - <p>This is optionally used by the <a data-link-type="dfn" href="#authenticator" id="ref-for-authenticator③⓪⑧">authenticator</a> to perform <a data-link-type="dfn" href="#user-verification" id="ref-for-user-verification⑤⑧">user verification</a>. It is not revealed to the <a data-link-type="dfn" href="#relying-party" id="ref-for-relying-party③⑧④">Relying Party</a>, but in -the case of <a data-link-type="dfn" href="#platform-authenticators" id="ref-for-platform-authenticators③①">platform authenticators</a>, it might be visible to the <a data-link-type="dfn" href="#client" id="ref-for-client①②⓪">client</a> depending on the implementation.</p> + <p>This is optionally used by the <a data-link-type="dfn" href="#authenticator" id="ref-for-authenticator③⓪⑧">authenticator</a> to perform <a data-link-type="dfn" href="#user-verification" id="ref-for-user-verification⑤⑧">user verification</a>. It is not revealed to the <a data-link-type="dfn" href="#relying-party" id="ref-for-relying-party③⑧⑤">Relying Party</a>, but in +the case of <a data-link-type="dfn" href="#platform-authenticators" id="ref-for-platform-authenticators③①">platform authenticators</a>, it might be visible to the <a data-link-type="dfn" href="#client" id="ref-for-client①②①">client</a> depending on the implementation.</p> <li data-md> <p>The models of the user’s <a data-link-type="dfn" href="#authenticator" id="ref-for-authenticator③⓪⑨">authenticators</a>, e.g., product names.</p> - <p>This is exposed in the <a data-link-type="dfn" href="#attestation-statement" id="ref-for-attestation-statement④④">attestation statement</a> provided to the <a data-link-type="dfn" href="#relying-party" id="ref-for-relying-party③⑧⑤">Relying Party</a> during <a data-link-type="dfn" href="#registration" id="ref-for-registration②⑤">registration</a>. It is also visible to the <a data-link-type="dfn" href="#client" id="ref-for-client①②①">client</a> in the communication with the <a data-link-type="dfn" href="#authenticator" id="ref-for-authenticator③①⓪">authenticator</a>.</p> + <p>This is exposed in the <a data-link-type="dfn" href="#attestation-statement" id="ref-for-attestation-statement④④">attestation statement</a> provided to the <a data-link-type="dfn" href="#relying-party" id="ref-for-relying-party③⑧⑥">Relying Party</a> during <a data-link-type="dfn" href="#registration" id="ref-for-registration②⑤">registration</a>. It is also visible to the <a data-link-type="dfn" href="#client" id="ref-for-client①②②">client</a> in the communication with the <a data-link-type="dfn" href="#authenticator" id="ref-for-authenticator③①⓪">authenticator</a>.</p> <li data-md> <p>The identities of the user’s <a data-link-type="dfn" href="#authenticator" id="ref-for-authenticator③①①">authenticators</a>, e.g., serial numbers.</p> - <p>This is possibly used by the <a data-link-type="dfn" href="#client" id="ref-for-client①②②">client</a> to enable communication with the <a data-link-type="dfn" href="#authenticator" id="ref-for-authenticator③①②">authenticator</a>, but is not exposed to the <a data-link-type="dfn" href="#relying-party" id="ref-for-relying-party③⑧⑥">Relying Party</a>.</p> + <p>This is possibly used by the <a data-link-type="dfn" href="#client" id="ref-for-client①②③">client</a> to enable communication with the <a data-link-type="dfn" href="#authenticator" id="ref-for-authenticator③①②">authenticator</a>, but is not exposed to the <a data-link-type="dfn" href="#relying-party" id="ref-for-relying-party③⑧⑦">Relying Party</a>.</p> </ul> - <p>Some of the above information is necessarily shared with the <a data-link-type="dfn" href="#relying-party" id="ref-for-relying-party③⑧⑦">Relying Party</a>. The following sections describe the measures taken to -prevent malicious <a data-link-type="dfn" href="#relying-party" id="ref-for-relying-party③⑧⑧">Relying Parties</a> from using it to discover a user’s personal identity.</p> + <p>Some of the above information is necessarily shared with the <a data-link-type="dfn" href="#relying-party" id="ref-for-relying-party③⑧⑧">Relying Party</a>. The following sections describe the measures taken to +prevent malicious <a data-link-type="dfn" href="#relying-party" id="ref-for-relying-party③⑧⑨">Relying Parties</a> from using it to discover a user’s personal identity.</p> <h3 class="heading settled" data-level="14.2" id="sctn-non-correlatable-credentials"><span class="secno">14.2. </span><span class="content">Anonymous, Scoped, Non-correlatable <a data-link-type="dfn" href="#public-key-credential" id="ref-for-public-key-credential⑦①">Public Key Credentials</a></span><a class="self-link" href="#sctn-non-correlatable-credentials"></a></h3> <p><em>This section is not normative.</em></p> <p>Although <a data-link-type="dfn" href="#credential-id" id="ref-for-credential-id⑤①">Credential IDs</a> and <a data-link-type="dfn" href="#credential-public-key" id="ref-for-credential-public-key③⑨">credential public keys</a> are necessarily shared with the <a data-link-type="dfn" href="#webauthn-relying-party" id="ref-for-webauthn-relying-party⑦⓪">WebAuthn Relying Party</a> to enable strong -authentication, they are designed to be minimally identifying and not shared between <a data-link-type="dfn" href="#relying-party" id="ref-for-relying-party③⑧⑨">Relying Parties</a>.</p> +authentication, they are designed to be minimally identifying and not shared between <a data-link-type="dfn" href="#relying-party" id="ref-for-relying-party③⑨⓪">Relying Parties</a>.</p> <ul> <li data-md> <p><a data-link-type="dfn" href="#credential-id" id="ref-for-credential-id⑤②">Credential IDs</a> and <a data-link-type="dfn" href="#credential-public-key" id="ref-for-credential-public-key④⓪">credential public keys</a> are meaningless in isolation, as they only identify <a data-link-type="dfn" href="#credential-key-pair" id="ref-for-credential-key-pair⑥">credential key pairs</a> and not users directly.</p> <li data-md> - <p>Each <a data-link-type="dfn" href="#public-key-credential" id="ref-for-public-key-credential⑦②">public key credential</a> is strictly <a data-link-type="dfn" href="#scope" id="ref-for-scope③①">scoped</a> to a specific <a data-link-type="dfn" href="#relying-party" id="ref-for-relying-party③⑨⓪">Relying Party</a>, and the <a data-link-type="dfn" href="#client" id="ref-for-client①②③">client</a> ensures that its existence is not -revealed to other <a data-link-type="dfn" href="#relying-party" id="ref-for-relying-party③⑨①">Relying Parties</a>. A malicious <a data-link-type="dfn" href="#relying-party" id="ref-for-relying-party③⑨②">Relying Party</a> thus cannot ask the <a data-link-type="dfn" href="#client" id="ref-for-client①②④">client</a> to reveal a user’s other identities.</p> + <p>Each <a data-link-type="dfn" href="#public-key-credential" id="ref-for-public-key-credential⑦②">public key credential</a> is strictly <a data-link-type="dfn" href="#scope" id="ref-for-scope③①">scoped</a> to a specific <a data-link-type="dfn" href="#relying-party" id="ref-for-relying-party③⑨①">Relying Party</a>, and the <a data-link-type="dfn" href="#client" id="ref-for-client①②④">client</a> ensures that its existence is not +revealed to other <a data-link-type="dfn" href="#relying-party" id="ref-for-relying-party③⑨②">Relying Parties</a>. A malicious <a data-link-type="dfn" href="#relying-party" id="ref-for-relying-party③⑨③">Relying Party</a> thus cannot ask the <a data-link-type="dfn" href="#client" id="ref-for-client①②⑤">client</a> to reveal a user’s other identities.</p> <li data-md> - <p>The <a data-link-type="dfn" href="#client" id="ref-for-client①②⑤">client</a> also ensures that the existence of a <a data-link-type="dfn" href="#public-key-credential" id="ref-for-public-key-credential⑦③">public key credential</a> is not revealed to the <a data-link-type="dfn" href="#relying-party" id="ref-for-relying-party③⑨③">Relying Party</a> without <a data-link-type="dfn" href="#user-consent" id="ref-for-user-consent②⑦">user -consent</a>. This is detailed further in <a href="#sctn-make-credential-privacy">§ 14.5.1 Registration Ceremony Privacy</a> and <a href="#sctn-assertion-privacy">§ 14.5.2 Authentication Ceremony Privacy</a>. A malicious <a data-link-type="dfn" href="#relying-party" id="ref-for-relying-party③⑨④">Relying Party</a> thus cannot silently identify a user, even if the user has a <a data-link-type="dfn" href="#public-key-credential" id="ref-for-public-key-credential⑦④">public key credential</a> registered and available.</p> + <p>The <a data-link-type="dfn" href="#client" id="ref-for-client①②⑥">client</a> also ensures that the existence of a <a data-link-type="dfn" href="#public-key-credential" id="ref-for-public-key-credential⑦③">public key credential</a> is not revealed to the <a data-link-type="dfn" href="#relying-party" id="ref-for-relying-party③⑨④">Relying Party</a> without <a data-link-type="dfn" href="#user-consent" id="ref-for-user-consent②⑦">user +consent</a>. This is detailed further in <a href="#sctn-make-credential-privacy">§ 14.5.1 Registration Ceremony Privacy</a> and <a href="#sctn-assertion-privacy">§ 14.5.2 Authentication Ceremony Privacy</a>. A malicious <a data-link-type="dfn" href="#relying-party" id="ref-for-relying-party③⑨⑤">Relying Party</a> thus cannot silently identify a user, even if the user has a <a data-link-type="dfn" href="#public-key-credential" id="ref-for-public-key-credential⑦④">public key credential</a> registered and available.</p> <li data-md> <p><a data-link-type="dfn" href="#authenticator" id="ref-for-authenticator③①③">Authenticators</a> ensure that the <a data-link-type="dfn" href="#credential-id" id="ref-for-credential-id⑤③">credential IDs</a> and <a data-link-type="dfn" href="#credential-public-key" id="ref-for-credential-public-key④①">credential public keys</a> of different <a data-link-type="dfn" href="#public-key-credential" id="ref-for-public-key-credential⑦⑤">public key credentials</a> are -not correlatable as belonging to the same user. A pair of malicious <a data-link-type="dfn" href="#relying-party" id="ref-for-relying-party③⑨⑤">Relying Parties</a> thus cannot correlate users between their +not correlatable as belonging to the same user. A pair of malicious <a data-link-type="dfn" href="#relying-party" id="ref-for-relying-party③⑨⑥">Relying Parties</a> thus cannot correlate users between their systems without additional information, e.g., a willfully reused username or e-mail address.</p> <li data-md> - <p><a data-link-type="dfn" href="#authenticator" id="ref-for-authenticator③①④">Authenticators</a> ensure that their <a data-link-type="dfn" href="#attestation-certificate" id="ref-for-attestation-certificate①④">attestation certificates</a> are not unique enough to identify a single <a data-link-type="dfn" href="#authenticator" id="ref-for-authenticator③①⑤">authenticator</a> or a small group of <a data-link-type="dfn" href="#authenticator" id="ref-for-authenticator③①⑥">authenticators</a>. This is detailed further in <a href="#sctn-attestation-privacy">§ 14.4.1 Attestation Privacy</a>. A pair of malicious <a data-link-type="dfn" href="#relying-party" id="ref-for-relying-party③⑨⑥">Relying Parties</a> thus cannot correlate users between their systems by tracking individual <a data-link-type="dfn" href="#authenticator" id="ref-for-authenticator③①⑦">authenticators</a>.</p> + <p><a data-link-type="dfn" href="#authenticator" id="ref-for-authenticator③①④">Authenticators</a> ensure that their <a data-link-type="dfn" href="#attestation-certificate" id="ref-for-attestation-certificate①④">attestation certificates</a> are not unique enough to identify a single <a data-link-type="dfn" href="#authenticator" id="ref-for-authenticator③①⑤">authenticator</a> or a small group of <a data-link-type="dfn" href="#authenticator" id="ref-for-authenticator③①⑥">authenticators</a>. This is detailed further in <a href="#sctn-attestation-privacy">§ 14.4.1 Attestation Privacy</a>. A pair of malicious <a data-link-type="dfn" href="#relying-party" id="ref-for-relying-party③⑨⑦">Relying Parties</a> thus cannot correlate users between their systems by tracking individual <a data-link-type="dfn" href="#authenticator" id="ref-for-authenticator③①⑦">authenticators</a>.</p> </ul> <p>Additionally, a <a data-link-type="dfn" href="#client-side-discoverable-public-key-credential-source" id="ref-for-client-side-discoverable-public-key-credential-source⑧">client-side discoverable public key credential source</a> can optionally include a <a data-link-type="dfn" href="#user-handle" id="ref-for-user-handle②⑥">user -handle</a> specified by the <a data-link-type="dfn" href="#relying-party" id="ref-for-relying-party③⑨⑦">Relying Party</a>. The <a data-link-type="dfn" href="#public-key-credential" id="ref-for-public-key-credential⑦⑥">credential</a> can then be used to both identify and <a data-link-type="dfn" href="#authentication" id="ref-for-authentication①⑥">authenticate</a> the user. -This means that a privacy-conscious <a data-link-type="dfn" href="#relying-party" id="ref-for-relying-party③⑨⑧">Relying Party</a> can allow creation of a <a data-link-type="dfn" href="#user-account" id="ref-for-user-account④①">user account</a> without a traditional username, -further improving non-correlatability between <a data-link-type="dfn" href="#relying-party" id="ref-for-relying-party③⑨⑨">Relying Parties</a>.</p> +handle</a> specified by the <a data-link-type="dfn" href="#relying-party" id="ref-for-relying-party③⑨⑧">Relying Party</a>. The <a data-link-type="dfn" href="#public-key-credential" id="ref-for-public-key-credential⑦⑥">credential</a> can then be used to both identify and <a data-link-type="dfn" href="#authentication" id="ref-for-authentication①⑥">authenticate</a> the user. +This means that a privacy-conscious <a data-link-type="dfn" href="#relying-party" id="ref-for-relying-party③⑨⑨">Relying Party</a> can allow creation of a <a data-link-type="dfn" href="#user-account" id="ref-for-user-account④①">user account</a> without a traditional username, +further improving non-correlatability between <a data-link-type="dfn" href="#relying-party" id="ref-for-relying-party④⓪⓪">Relying Parties</a>.</p> <h3 class="heading settled" data-level="14.3" id="sctn-biometric-privacy"><span class="secno">14.3. </span><span class="content">Authenticator-local <a data-link-type="dfn" href="#biometric-recognition" id="ref-for-biometric-recognition④">Biometric Recognition</a></span><a class="self-link" href="#sctn-biometric-privacy"></a></h3> <p><a data-link-type="dfn" href="#biometric-authenticator" id="ref-for-biometric-authenticator①">Biometric authenticators</a> perform the <a data-link-type="dfn" href="#biometric-recognition" id="ref-for-biometric-recognition⑤">biometric recognition</a> internally in the <a data-link-type="dfn" href="#authenticator" id="ref-for-authenticator③①⑧">authenticator</a> - though for <a data-link-type="dfn" href="#platform-authenticators" id="ref-for-platform-authenticators③②">platform -authenticators</a> the biometric data might also be visible to the <a data-link-type="dfn" href="#client" id="ref-for-client①②⑥">client</a>, depending on the implementation. Biometric data is -not revealed to the <a data-link-type="dfn" href="#webauthn-relying-party" id="ref-for-webauthn-relying-party⑦①">WebAuthn Relying Party</a>; it is used only locally to perform <a data-link-type="dfn" href="#user-verification" id="ref-for-user-verification⑤⑨">user verification</a> authorizing the creation and <a data-link-type="dfn" href="#registration" id="ref-for-registration②⑥">registration</a> of, or <a data-link-type="dfn" href="#authentication" id="ref-for-authentication①⑦">authentication</a> using, a <a data-link-type="dfn" href="#public-key-credential" id="ref-for-public-key-credential⑦⑦">public key credential</a>. A malicious <a data-link-type="dfn" href="#relying-party" id="ref-for-relying-party④⓪⓪">Relying Party</a> therefore cannot discover the -user’s personal identity via biometric data, and a security breach at a <a data-link-type="dfn" href="#relying-party" id="ref-for-relying-party④⓪①">Relying Party</a> cannot expose biometric data for an attacker to -use for forging logins at other <a data-link-type="dfn" href="#relying-party" id="ref-for-relying-party④⓪②">Relying Parties</a>.</p> - <p>In the case where a <a data-link-type="dfn" href="#relying-party" id="ref-for-relying-party④⓪③">Relying Party</a> requires <a data-link-type="dfn" href="#biometric-recognition" id="ref-for-biometric-recognition⑥">biometric recognition</a>, this is performed locally by the <a data-link-type="dfn" href="#biometric-authenticator" id="ref-for-biometric-authenticator②">biometric authenticator</a> perfoming <a data-link-type="dfn" href="#user-verification" id="ref-for-user-verification⑥⓪">user verification</a> and then signaling the result by setting the <a data-link-type="dfn" href="#authdata-flags-uv" id="ref-for-authdata-flags-uv①⑦">UV</a> <a data-link-type="dfn" href="#authdata-flags" id="ref-for-authdata-flags⑤⑦">flag</a> in the signed <a data-link-type="dfn" href="#assertion" id="ref-for-assertion①②">assertion</a> response, -instead of revealing the biometric data itself to the <a data-link-type="dfn" href="#relying-party" id="ref-for-relying-party④⓪④">Relying Party</a>.</p> +authenticators</a> the biometric data might also be visible to the <a data-link-type="dfn" href="#client" id="ref-for-client①②⑦">client</a>, depending on the implementation. Biometric data is +not revealed to the <a data-link-type="dfn" href="#webauthn-relying-party" id="ref-for-webauthn-relying-party⑦①">WebAuthn Relying Party</a>; it is used only locally to perform <a data-link-type="dfn" href="#user-verification" id="ref-for-user-verification⑤⑨">user verification</a> authorizing the creation and <a data-link-type="dfn" href="#registration" id="ref-for-registration②⑥">registration</a> of, or <a data-link-type="dfn" href="#authentication" id="ref-for-authentication①⑦">authentication</a> using, a <a data-link-type="dfn" href="#public-key-credential" id="ref-for-public-key-credential⑦⑦">public key credential</a>. A malicious <a data-link-type="dfn" href="#relying-party" id="ref-for-relying-party④⓪①">Relying Party</a> therefore cannot discover the +user’s personal identity via biometric data, and a security breach at a <a data-link-type="dfn" href="#relying-party" id="ref-for-relying-party④⓪②">Relying Party</a> cannot expose biometric data for an attacker to +use for forging logins at other <a data-link-type="dfn" href="#relying-party" id="ref-for-relying-party④⓪③">Relying Parties</a>.</p> + <p>In the case where a <a data-link-type="dfn" href="#relying-party" id="ref-for-relying-party④⓪④">Relying Party</a> requires <a data-link-type="dfn" href="#biometric-recognition" id="ref-for-biometric-recognition⑥">biometric recognition</a>, this is performed locally by the <a data-link-type="dfn" href="#biometric-authenticator" id="ref-for-biometric-authenticator②">biometric authenticator</a> perfoming <a data-link-type="dfn" href="#user-verification" id="ref-for-user-verification⑥⓪">user verification</a> and then signaling the result by setting the <a data-link-type="dfn" href="#authdata-flags-uv" id="ref-for-authdata-flags-uv①⑦">UV</a> <a data-link-type="dfn" href="#authdata-flags" id="ref-for-authdata-flags⑤⑦">flag</a> in the signed <a data-link-type="dfn" href="#assertion" id="ref-for-assertion①②">assertion</a> response, +instead of revealing the biometric data itself to the <a data-link-type="dfn" href="#relying-party" id="ref-for-relying-party④⓪⑤">Relying Party</a>.</p> <h3 class="heading settled" data-level="14.4" id="sctn-privacy-considerations-authenticator"><span class="secno">14.4. </span><span class="content">Privacy considerations for <a data-link-type="dfn" href="#authenticator" id="ref-for-authenticator③①⑨">authenticators</a></span><a class="self-link" href="#sctn-privacy-considerations-authenticator"></a></h3> <h4 class="heading settled" data-level="14.4.1" id="sctn-attestation-privacy"><span class="secno">14.4.1. </span><span class="content">Attestation Privacy</span><a class="self-link" href="#sctn-attestation-privacy"></a></h4> <p><a data-link-type="dfn" href="#attestation-certificate" id="ref-for-attestation-certificate①⑤">Attestation certificates</a> and <a data-link-type="dfn" href="#attestation-key-pair" id="ref-for-attestation-key-pair⑦">attestation key pairs</a> can be used to track users @@ -8890,44 +8893,44 @@ <h4 class="heading settled" data-level="14.4.1" id="sctn-attestation-privacy"><s confusion in the specific context of this specification.</p> </ul> <h4 class="heading settled" data-level="14.4.2" id="sctn-pii-privacy"><span class="secno">14.4.2. </span><span class="content">Privacy of personally identifying information Stored in Authenticators</span><a class="self-link" href="#sctn-pii-privacy"></a></h4> - <p><a data-link-type="dfn" href="#authenticator" id="ref-for-authenticator③②⑤">Authenticators</a> MAY provide additional information to <a data-link-type="dfn" href="#client" id="ref-for-client①②⑦">clients</a> outside what’s defined by this specification, e.g., -to enable the <a data-link-type="dfn" href="#client" id="ref-for-client①②⑧">client</a> to provide a rich UI with which the user can pick which <a data-link-type="dfn" href="https://w3c.github.io/webappsec-credential-management/#concept-credential" id="ref-for-concept-credential③③">credential</a> to use for an <a data-link-type="dfn" href="#authentication-ceremony" id="ref-for-authentication-ceremony④⑤">authentication + <p><a data-link-type="dfn" href="#authenticator" id="ref-for-authenticator③②⑤">Authenticators</a> MAY provide additional information to <a data-link-type="dfn" href="#client" id="ref-for-client①②⑧">clients</a> outside what’s defined by this specification, e.g., +to enable the <a data-link-type="dfn" href="#client" id="ref-for-client①②⑨">client</a> to provide a rich UI with which the user can pick which <a data-link-type="dfn" href="https://w3c.github.io/webappsec-credential-management/#concept-credential" id="ref-for-concept-credential③③">credential</a> to use for an <a data-link-type="dfn" href="#authentication-ceremony" id="ref-for-authentication-ceremony④⑤">authentication ceremony</a>. If an <a data-link-type="dfn" href="#authenticator" id="ref-for-authenticator③②⑥">authenticator</a> chooses to do so, it SHOULD NOT expose personally identifying information unless successful <a data-link-type="dfn" href="#user-verification" id="ref-for-user-verification⑥①">user verification</a> has been performed. If the <a data-link-type="dfn" href="#authenticator" id="ref-for-authenticator③②⑦">authenticator</a> supports <a data-link-type="dfn" href="#user-verification" id="ref-for-user-verification⑥②">user verification</a> with more than one concurrently enrolled user, the <a data-link-type="dfn" href="#authenticator" id="ref-for-authenticator③②⑧">authenticator</a> SHOULD NOT expose personally identifying information of users other than the currently <a data-link-type="dfn" href="#concept-user-verified" id="ref-for-concept-user-verified④">verified</a> user. Consequently, an <a data-link-type="dfn" href="#authenticator" id="ref-for-authenticator③②⑨">authenticator</a> that is not capable of <a data-link-type="dfn" href="#user-verification" id="ref-for-user-verification⑥③">user verification</a> SHOULD NOT store personally identifying information.</p> <p>For the purposes of this discussion, the <a data-link-type="dfn" href="#user-handle" id="ref-for-user-handle②⑦">user handle</a> conveyed as the <code class="idl"><a data-link-type="idl" href="#dom-publickeycredentialuserentity-id" id="ref-for-dom-publickeycredentialuserentity-id①①">id</a></code> member of <code class="idl"><a data-link-type="idl" href="#dictdef-publickeycredentialuserentity" id="ref-for-dictdef-publickeycredentialuserentity⑨">PublicKeyCredentialUserEntity</a></code> is not considered personally identifying information; see <a href="#sctn-user-handle-privacy">§ 14.6.1 User Handle Contents</a>.</p> <p>These recommendations serve to prevent an adversary with physical access to an <a data-link-type="dfn" href="#authenticator" id="ref-for-authenticator③③⓪">authenticator</a> from extracting personally identifying information about the <a data-link-type="dfn" href="#authenticator" id="ref-for-authenticator③③①">authenticator</a>'s enrolled user(s).</p> - <h3 class="heading settled" data-level="14.5" id="sctn-privacy-considerations-client"><span class="secno">14.5. </span><span class="content">Privacy considerations for <a data-link-type="dfn" href="#client" id="ref-for-client①②⑨">clients</a></span><a class="self-link" href="#sctn-privacy-considerations-client"></a></h3> + <h3 class="heading settled" data-level="14.5" id="sctn-privacy-considerations-client"><span class="secno">14.5. </span><span class="content">Privacy considerations for <a data-link-type="dfn" href="#client" id="ref-for-client①③⓪">clients</a></span><a class="self-link" href="#sctn-privacy-considerations-client"></a></h3> <h4 class="heading settled" data-level="14.5.1" id="sctn-make-credential-privacy"><span class="secno">14.5.1. </span><span class="content">Registration Ceremony Privacy</span><a class="self-link" href="#sctn-make-credential-privacy"></a></h4> <p>In order to protect users from being identified without <a data-link-type="dfn" href="#user-consent" id="ref-for-user-consent②⑧">consent</a>, implementations of the <code class="idl"><a data-link-type="idl" href="#dom-publickeycredential-create-slot" id="ref-for-dom-publickeycredential-create-slot①②">[[Create]](origin, options, sameOriginWithAncestors)</a></code> method need to take care to not leak information that -could enable a malicious <a data-link-type="dfn" href="#webauthn-relying-party" id="ref-for-webauthn-relying-party⑦②">WebAuthn Relying Party</a> to distinguish between these cases, where "excluded" means that at least one of the <a data-link-type="dfn" href="#public-key-credential" id="ref-for-public-key-credential⑦⑧">credentials</a> listed by the <a data-link-type="dfn" href="#relying-party" id="ref-for-relying-party④⓪⑤">Relying Party</a> in <code class="idl"><a data-link-type="idl" href="#dom-publickeycredentialcreationoptions-excludecredentials" id="ref-for-dom-publickeycredentialcreationoptions-excludecredentials④">excludeCredentials</a></code> is <a data-link-type="dfn" href="#bound-credential" id="ref-for-bound-credential①⑦">bound</a> to the <a data-link-type="dfn" href="#authenticator" id="ref-for-authenticator③③②">authenticator</a>:</p> +could enable a malicious <a data-link-type="dfn" href="#webauthn-relying-party" id="ref-for-webauthn-relying-party⑦②">WebAuthn Relying Party</a> to distinguish between these cases, where "excluded" means that at least one of the <a data-link-type="dfn" href="#public-key-credential" id="ref-for-public-key-credential⑦⑧">credentials</a> listed by the <a data-link-type="dfn" href="#relying-party" id="ref-for-relying-party④⓪⑥">Relying Party</a> in <code class="idl"><a data-link-type="idl" href="#dom-publickeycredentialcreationoptions-excludecredentials" id="ref-for-dom-publickeycredentialcreationoptions-excludecredentials④">excludeCredentials</a></code> is <a data-link-type="dfn" href="#bound-credential" id="ref-for-bound-credential①⑦">bound</a> to the <a data-link-type="dfn" href="#authenticator" id="ref-for-authenticator③③②">authenticator</a>:</p> <ul> <li data-md> <p>No <a data-link-type="dfn" href="#authenticator" id="ref-for-authenticator③③③">authenticators</a> are present.</p> <li data-md> <p>At least one <a data-link-type="dfn" href="#authenticator" id="ref-for-authenticator③③④">authenticator</a> is present, and at least one present <a data-link-type="dfn" href="#authenticator" id="ref-for-authenticator③③⑤">authenticator</a> is excluded.</p> </ul> - <p>If the above cases are distinguishable, information is leaked by which a malicious <a data-link-type="dfn" href="#relying-party" id="ref-for-relying-party④⓪⑥">Relying Party</a> could identify the user by probing for + <p>If the above cases are distinguishable, information is leaked by which a malicious <a data-link-type="dfn" href="#relying-party" id="ref-for-relying-party④⓪⑦">Relying Party</a> could identify the user by probing for which <a data-link-type="dfn" href="#public-key-credential" id="ref-for-public-key-credential⑦⑨">credentials</a> are available. For example, one such information leak is if the client returns a -failure response as soon as an excluded <a data-link-type="dfn" href="#authenticator" id="ref-for-authenticator③③⑥">authenticator</a> becomes available. In this case - especially if the excluded <a data-link-type="dfn" href="#authenticator" id="ref-for-authenticator③③⑦">authenticator</a> is a <a data-link-type="dfn" href="#platform-authenticators" id="ref-for-platform-authenticators③③">platform authenticator</a> - the <a data-link-type="dfn" href="#relying-party" id="ref-for-relying-party④⓪⑦">Relying Party</a> could detect that the <a data-link-type="dfn" href="#ceremony" id="ref-for-ceremony①④">ceremony</a> was canceled +failure response as soon as an excluded <a data-link-type="dfn" href="#authenticator" id="ref-for-authenticator③③⑥">authenticator</a> becomes available. In this case - especially if the excluded <a data-link-type="dfn" href="#authenticator" id="ref-for-authenticator③③⑦">authenticator</a> is a <a data-link-type="dfn" href="#platform-authenticators" id="ref-for-platform-authenticators③③">platform authenticator</a> - the <a data-link-type="dfn" href="#relying-party" id="ref-for-relying-party④⓪⑧">Relying Party</a> could detect that the <a data-link-type="dfn" href="#ceremony" id="ref-for-ceremony①④">ceremony</a> was canceled before the user could feasibly have canceled it manually, and thus conclude that at least one of the <a data-link-type="dfn" href="#public-key-credential" id="ref-for-public-key-credential⑧⓪">credentials</a> listed in the <code class="idl"><a data-link-type="idl" href="#dom-publickeycredentialcreationoptions-excludecredentials" id="ref-for-dom-publickeycredentialcreationoptions-excludecredentials⑤">excludeCredentials</a></code> parameter is available to the user.</p> <p>The above is not a concern, however, if the user has <a data-link-type="dfn" href="#user-consent" id="ref-for-user-consent②⑨">consented</a> to create a new credential before a distinguishable error is returned, because in this case the user has confirmed intent to share the information that would be leaked.</p> <h4 class="heading settled" data-level="14.5.2" id="sctn-assertion-privacy"><span class="secno">14.5.2. </span><span class="content">Authentication Ceremony Privacy</span><a class="self-link" href="#sctn-assertion-privacy"></a></h4> <p>In order to protect users from being identified without <a data-link-type="dfn" href="#user-consent" id="ref-for-user-consent③⓪">consent</a>, implementations of the <code class="idl"><a data-link-type="idl" href="#dom-publickeycredential-discoverfromexternalsource-slot" id="ref-for-dom-publickeycredential-discoverfromexternalsource-slot①④">[[DiscoverFromExternalSource]](origin, options, sameOriginWithAncestors)</a></code> method need to take care to not -leak information that could enable a malicious <a data-link-type="dfn" href="#webauthn-relying-party" id="ref-for-webauthn-relying-party⑦③">WebAuthn Relying Party</a> to distinguish between these cases, where "named" means that the <a data-link-type="dfn" href="#public-key-credential" id="ref-for-public-key-credential⑧①">credential</a> is listed by the <a data-link-type="dfn" href="#relying-party" id="ref-for-relying-party④⓪⑧">Relying Party</a> in <code class="idl"><a data-link-type="idl" href="#dom-publickeycredentialrequestoptions-allowcredentials" id="ref-for-dom-publickeycredentialrequestoptions-allowcredentials③①">allowCredentials</a></code>:</p> +leak information that could enable a malicious <a data-link-type="dfn" href="#webauthn-relying-party" id="ref-for-webauthn-relying-party⑦③">WebAuthn Relying Party</a> to distinguish between these cases, where "named" means that the <a data-link-type="dfn" href="#public-key-credential" id="ref-for-public-key-credential⑧①">credential</a> is listed by the <a data-link-type="dfn" href="#relying-party" id="ref-for-relying-party④⓪⑨">Relying Party</a> in <code class="idl"><a data-link-type="idl" href="#dom-publickeycredentialrequestoptions-allowcredentials" id="ref-for-dom-publickeycredentialrequestoptions-allowcredentials③①">allowCredentials</a></code>:</p> <ul> <li data-md> <p>A named <a data-link-type="dfn" href="#public-key-credential" id="ref-for-public-key-credential⑧②">credential</a> is not available.</p> <li data-md> <p>A named <a data-link-type="dfn" href="#public-key-credential" id="ref-for-public-key-credential⑧③">credential</a> is available, but the user does not <a data-link-type="dfn" href="#user-consent" id="ref-for-user-consent③①">consent</a> to use it.</p> </ul> - <p>If the above cases are distinguishable, information is leaked by which a malicious <a data-link-type="dfn" href="#relying-party" id="ref-for-relying-party④⓪⑨">Relying Party</a> could identify the user by probing + <p>If the above cases are distinguishable, information is leaked by which a malicious <a data-link-type="dfn" href="#relying-party" id="ref-for-relying-party④①⓪">Relying Party</a> could identify the user by probing for which <a data-link-type="dfn" href="#public-key-credential" id="ref-for-public-key-credential⑧④">credentials</a> are available. For example, one such information leak may happen if the client displays instructions and controls for canceling or proceeding with the <a data-link-type="dfn" href="#authentication-ceremony" id="ref-for-authentication-ceremony④⑥">authentication ceremony</a> only after discovering an <a data-link-type="dfn" href="#authenticator" id="ref-for-authenticator③③⑧">authenticator</a> that <a data-link-type="dfn" href="#contains" id="ref-for-contains③">contains</a> a named <a data-link-type="dfn" href="https://w3c.github.io/webappsec-credential-management/#concept-credential" id="ref-for-concept-credential③④">credential</a>. -In this case, if the <a data-link-type="dfn" href="#relying-party" id="ref-for-relying-party④①⓪">Relying Party</a> is aware of this <a data-link-type="dfn" href="#client" id="ref-for-client①③⓪">client</a> behavior, -the <a data-link-type="dfn" href="#relying-party" id="ref-for-relying-party④①①">Relying Party</a> could detect that the <a data-link-type="dfn" href="#ceremony" id="ref-for-ceremony①⑤">ceremony</a> was canceled by the user and not the timeout, and thus conclude that at least +In this case, if the <a data-link-type="dfn" href="#relying-party" id="ref-for-relying-party④①①">Relying Party</a> is aware of this <a data-link-type="dfn" href="#client" id="ref-for-client①③①">client</a> behavior, +the <a data-link-type="dfn" href="#relying-party" id="ref-for-relying-party④①②">Relying Party</a> could detect that the <a data-link-type="dfn" href="#ceremony" id="ref-for-ceremony①⑤">ceremony</a> was canceled by the user and not the timeout, and thus conclude that at least one of the <a data-link-type="dfn" href="#public-key-credential" id="ref-for-public-key-credential⑧⑤">credentials</a> listed in the <code class="idl"><a data-link-type="idl" href="#dom-publickeycredentialrequestoptions-allowcredentials" id="ref-for-dom-publickeycredentialrequestoptions-allowcredentials③②">allowCredentials</a></code> parameter is available to the user.</p> <p>This concern may be addressed by displaying controls allowing the user to cancel an <a data-link-type="dfn" href="#authentication-ceremony" id="ref-for-authentication-ceremony④⑦">authentication ceremony</a> at any time, @@ -8939,39 +8942,39 @@ <h4 class="heading settled" data-level="14.5.3" id="sctn-os-account-privacy"><sp <h4 class="heading settled" data-level="14.5.4" id="sctn-disclosing-client-capabilities"><span class="secno">14.5.4. </span><span class="content">Disclosing Client Capabilities</span><a class="self-link" href="#sctn-disclosing-client-capabilities"></a></h4> <p>The <code class="idl"><a data-link-type="idl" href="#dom-publickeycredential-getclientcapabilities" id="ref-for-dom-publickeycredential-getclientcapabilities④">getClientCapabilities</a></code> method assists <a data-link-type="dfn" href="#webauthn-relying-party" id="ref-for-webauthn-relying-party⑦④">WebAuthn Relying Parties</a> in crafting registration and authentication experiences which have a high chance of success with the client and/or user.</p> <p>The client’s support or lack of support of a WebAuthn capability may pose a fingerprinting risk. Client implementations MAY wish to limit capability disclosures based on client policy and/or user consent.</p> - <h3 class="heading settled" data-level="14.6" id="sctn-privacy-considerations-rp"><span class="secno">14.6. </span><span class="content">Privacy considerations for <a data-link-type="dfn" href="#relying-party" id="ref-for-relying-party④①②">Relying Parties</a></span><a class="self-link" href="#sctn-privacy-considerations-rp"></a></h3> + <h3 class="heading settled" data-level="14.6" id="sctn-privacy-considerations-rp"><span class="secno">14.6. </span><span class="content">Privacy considerations for <a data-link-type="dfn" href="#relying-party" id="ref-for-relying-party④①③">Relying Parties</a></span><a class="self-link" href="#sctn-privacy-considerations-rp"></a></h3> <h4 class="heading settled" data-level="14.6.1" id="sctn-user-handle-privacy"><span class="secno">14.6.1. </span><span class="content">User Handle Contents</span><a class="self-link" href="#sctn-user-handle-privacy"></a></h4> <p>Since the <a data-link-type="dfn" href="#user-handle" id="ref-for-user-handle②⑧">user handle</a> is not considered personally identifying information in <a href="#sctn-pii-privacy">§ 14.4.2 Privacy of personally identifying information Stored in Authenticators</a>, and since <a data-link-type="dfn" href="#authenticator" id="ref-for-authenticator③③⑨">authenticators</a> MAY reveal <a data-link-type="dfn" href="#user-handle" id="ref-for-user-handle②⑨">user handles</a> without first performing <a data-link-type="dfn" href="#user-verification" id="ref-for-user-verification⑥④">user verification</a>, -the <a data-link-type="dfn" href="#relying-party" id="ref-for-relying-party④①③">Relying Party</a> MUST NOT include personally identifying information, e.g., e-mail +the <a data-link-type="dfn" href="#relying-party" id="ref-for-relying-party④①④">Relying Party</a> MUST NOT include personally identifying information, e.g., e-mail addresses or usernames, in the <a data-link-type="dfn" href="#user-handle" id="ref-for-user-handle③⓪">user handle</a>. This includes hash values of personally identifying information, unless the hash -function is <a data-link-type="dfn" href="https://tools.ietf.org/html/rfc4949#page-258" id="ref-for-page-258">salted</a> with <a data-link-type="dfn" href="https://tools.ietf.org/html/rfc4949#page-258" id="ref-for-page-258①">salt</a> values private to the <a data-link-type="dfn" href="#relying-party" id="ref-for-relying-party④①④">Relying Party</a>, since hashing does not prevent probing for guessable input +function is <a data-link-type="dfn" href="https://tools.ietf.org/html/rfc4949#page-258" id="ref-for-page-258">salted</a> with <a data-link-type="dfn" href="https://tools.ietf.org/html/rfc4949#page-258" id="ref-for-page-258①">salt</a> values private to the <a data-link-type="dfn" href="#relying-party" id="ref-for-relying-party④①⑤">Relying Party</a>, since hashing does not prevent probing for guessable input values. It is RECOMMENDED to let the <a data-link-type="dfn" href="#user-handle" id="ref-for-user-handle③①">user handle</a> be 64 random bytes, and store this value in the <a data-link-type="dfn" href="#user-account" id="ref-for-user-account④②">user account</a>.</p> <h4 class="heading settled" data-level="14.6.2" id="sctn-username-enumeration"><span class="secno">14.6.2. </span><span class="content">Username Enumeration</span><a class="self-link" href="#sctn-username-enumeration"></a></h4> <p>While initiating a <a data-link-type="dfn" href="#registration-ceremony" id="ref-for-registration-ceremony②②">registration</a> or <a data-link-type="dfn" href="#authentication-ceremony" id="ref-for-authentication-ceremony④⑧">authentication ceremony</a>, there is a risk that the <a data-link-type="dfn" href="#webauthn-relying-party" id="ref-for-webauthn-relying-party⑦⑤">WebAuthn Relying Party</a> might leak sensitive -information about its registered users. For example, if a <a data-link-type="dfn" href="#relying-party" id="ref-for-relying-party④①⑤">Relying Party</a> uses e-mail addresses as usernames and an attacker attempts to -initiate an <a data-link-type="dfn" href="#authentication" id="ref-for-authentication①⑧">authentication</a> <a data-link-type="dfn" href="#ceremony" id="ref-for-ceremony①⑥">ceremony</a> for "alex.mueller@example.com" and the <a data-link-type="dfn" href="#relying-party" id="ref-for-relying-party④①⑥">Relying Party</a> responds with a failure, but then +information about its registered users. For example, if a <a data-link-type="dfn" href="#relying-party" id="ref-for-relying-party④①⑥">Relying Party</a> uses e-mail addresses as usernames and an attacker attempts to +initiate an <a data-link-type="dfn" href="#authentication" id="ref-for-authentication①⑧">authentication</a> <a data-link-type="dfn" href="#ceremony" id="ref-for-ceremony①⑥">ceremony</a> for "alex.mueller@example.com" and the <a data-link-type="dfn" href="#relying-party" id="ref-for-relying-party④①⑦">Relying Party</a> responds with a failure, but then successfully initiates an <a data-link-type="dfn" href="#authentication-ceremony" id="ref-for-authentication-ceremony④⑨">authentication ceremony</a> for "j.doe@example.com", then the attacker can conclude that "j.doe@example.com" -is registered and "alex.mueller@example.com" is not. The <a data-link-type="dfn" href="#relying-party" id="ref-for-relying-party④①⑦">Relying Party</a> has thus leaked the possibly sensitive information that -"j.doe@example.com" has a <a data-link-type="dfn" href="#user-account" id="ref-for-user-account④③">user account</a> at this <a data-link-type="dfn" href="#relying-party" id="ref-for-relying-party④①⑧">Relying Party</a>.</p> - <p>The following is a non-normative, non-exhaustive list of measures the <a data-link-type="dfn" href="#relying-party" id="ref-for-relying-party④①⑨">Relying Party</a> may implement to mitigate or prevent information +is registered and "alex.mueller@example.com" is not. The <a data-link-type="dfn" href="#relying-party" id="ref-for-relying-party④①⑧">Relying Party</a> has thus leaked the possibly sensitive information that +"j.doe@example.com" has a <a data-link-type="dfn" href="#user-account" id="ref-for-user-account④③">user account</a> at this <a data-link-type="dfn" href="#relying-party" id="ref-for-relying-party④①⑨">Relying Party</a>.</p> + <p>The following is a non-normative, non-exhaustive list of measures the <a data-link-type="dfn" href="#relying-party" id="ref-for-relying-party④②⓪">Relying Party</a> may implement to mitigate or prevent information leakage due to such an attack:</p> <ul> <li data-md> <p>For <a data-link-type="dfn" href="#registration-ceremony" id="ref-for-registration-ceremony②③">registration ceremonies</a>:</p> <ul> <li data-md> - <p>If the <a data-link-type="dfn" href="#relying-party" id="ref-for-relying-party④②⓪">Relying Party</a> uses <a data-link-type="dfn" href="#relying-party" id="ref-for-relying-party④②①">Relying Party</a>-specific usernames to identify users:</p> + <p>If the <a data-link-type="dfn" href="#relying-party" id="ref-for-relying-party④②①">Relying Party</a> uses <a data-link-type="dfn" href="#relying-party" id="ref-for-relying-party④②②">Relying Party</a>-specific usernames to identify users:</p> <ul> <li data-md> <p>When initiating a <a data-link-type="dfn" href="#registration-ceremony" id="ref-for-registration-ceremony②④">registration ceremony</a>, disallow registration of usernames that are syntactically valid e-mail addresses.</p> - <p class="note" role="note"><span class="marker">Note:</span> The motivation for this suggestion is that in this case the <a data-link-type="dfn" href="#relying-party" id="ref-for-relying-party④②②">Relying Party</a> probably has no choice but to fail the <a data-link-type="dfn" href="#registration-ceremony" id="ref-for-registration-ceremony②⑤">registration ceremony</a> if the user attempts to register a username that is already registered, and an information + <p class="note" role="note"><span class="marker">Note:</span> The motivation for this suggestion is that in this case the <a data-link-type="dfn" href="#relying-party" id="ref-for-relying-party④②③">Relying Party</a> probably has no choice but to fail the <a data-link-type="dfn" href="#registration-ceremony" id="ref-for-registration-ceremony②⑤">registration ceremony</a> if the user attempts to register a username that is already registered, and an information leak might therefore be unavoidable. By disallowing e-mail addresses as usernames, the impact of the leakage can be -mitigated since it will be less likely that a user has the same username at this <a data-link-type="dfn" href="#relying-party" id="ref-for-relying-party④②③">Relying Party</a> as at other <a data-link-type="dfn" href="#relying-party" id="ref-for-relying-party④②④">Relying Parties</a>.</p> +mitigated since it will be less likely that a user has the same username at this <a data-link-type="dfn" href="#relying-party" id="ref-for-relying-party④②④">Relying Party</a> as at other <a data-link-type="dfn" href="#relying-party" id="ref-for-relying-party④②⑤">Relying Parties</a>.</p> </ul> <li data-md> - <p>If the <a data-link-type="dfn" href="#relying-party" id="ref-for-relying-party④②⑤">Relying Party</a> uses e-mail addresses to identify users:</p> + <p>If the <a data-link-type="dfn" href="#relying-party" id="ref-for-relying-party④②⑥">Relying Party</a> uses e-mail addresses to identify users:</p> <ul> <li data-md> <p>When initiating a <a data-link-type="dfn" href="#registration-ceremony" id="ref-for-registration-ceremony②⑥">registration ceremony</a>, interrupt the user interaction after the e-mail address is supplied and @@ -8991,7 +8994,7 @@ <h4 class="heading settled" data-level="14.6.2" id="sctn-username-enumeration">< ceremony by invoking <code class="idl"><a data-link-type="idl" href="https://w3c.github.io/webappsec-credential-management/#dom-credentialscontainer-get" id="ref-for-dom-credentialscontainer-get④⓪">navigator.credentials.get()</a></code> using a syntactically valid <code class="idl"><a data-link-type="idl" href="#dictdef-publickeycredentialrequestoptions" id="ref-for-dictdef-publickeycredentialrequestoptions①③">PublicKeyCredentialRequestOptions</a></code> object that is populated with plausible imaginary values.</p> <p>This approach could also be used to mitigate information leakage via <code class="idl"><a data-link-type="idl" href="#dom-publickeycredentialrequestoptions-allowcredentials" id="ref-for-dom-publickeycredentialrequestoptions-allowcredentials③③">allowCredentials</a></code>; see <a href="#sctn-unprotected-account-detection">§ 13.4.7 Unprotected account detection</a> and <a href="#sctn-credential-id-privacy-leak">§ 14.6.3 Privacy leak via credential IDs</a>.</p> - <p class="note" role="note"><span class="marker">Note:</span> The username may be "provided" in various <a data-link-type="dfn" href="#relying-party" id="ref-for-relying-party④②⑥">Relying Party</a>-specific fashions: login form, session cookie, etc.</p> + <p class="note" role="note"><span class="marker">Note:</span> The username may be "provided" in various <a data-link-type="dfn" href="#relying-party" id="ref-for-relying-party④②⑦">Relying Party</a>-specific fashions: login form, session cookie, etc.</p> <p class="note" role="note"><span class="marker">Note:</span> If returned imaginary values noticeably differ from actual ones, clever attackers may be able to discern them and thus be able to test for existence of actual accounts. Examples of noticeably different values include if the values are always the same for all username inputs, or are different in repeated attempts with the same username input. The <code class="idl"><a data-link-type="idl" href="#dom-publickeycredentialrequestoptions-allowcredentials" id="ref-for-dom-publickeycredentialrequestoptions-allowcredentials③④">allowCredentials</a></code> member could therefore be populated with pseudo-random values @@ -9008,17 +9011,17 @@ <h4 class="heading settled" data-level="14.6.2" id="sctn-username-enumeration">< </ul> <h4 class="heading settled" data-level="14.6.3" id="sctn-credential-id-privacy-leak"><span class="secno">14.6.3. </span><span class="content">Privacy leak via credential IDs</span><a class="self-link" href="#sctn-credential-id-privacy-leak"></a></h4> <p><em>This section is not normative.</em></p> - <p>This privacy consideration applies to <a data-link-type="dfn" href="#relying-party" id="ref-for-relying-party④②⑦">Relying Parties</a> that support <a data-link-type="dfn" href="#authentication-ceremony" id="ref-for-authentication-ceremony⑤③">authentication ceremonies</a> with a non-<a data-link-type="dfn" href="https://infra.spec.whatwg.org/#list-empty" id="ref-for-list-empty⑧">empty</a> <code class="idl"><a data-link-type="idl" href="#dom-publickeycredentialrequestoptions-allowcredentials" id="ref-for-dom-publickeycredentialrequestoptions-allowcredentials③⑤">allowCredentials</a></code> argument as the first authentication step. + <p>This privacy consideration applies to <a data-link-type="dfn" href="#relying-party" id="ref-for-relying-party④②⑧">Relying Parties</a> that support <a data-link-type="dfn" href="#authentication-ceremony" id="ref-for-authentication-ceremony⑤③">authentication ceremonies</a> with a non-<a data-link-type="dfn" href="https://infra.spec.whatwg.org/#list-empty" id="ref-for-list-empty⑧">empty</a> <code class="idl"><a data-link-type="idl" href="#dom-publickeycredentialrequestoptions-allowcredentials" id="ref-for-dom-publickeycredentialrequestoptions-allowcredentials③⑤">allowCredentials</a></code> argument as the first authentication step. For example, if using authentication with <a data-link-type="dfn" href="#server-side-credential" id="ref-for-server-side-credential①⑥">server-side credentials</a> as the first authentication step.</p> <p>In this case the <code class="idl"><a data-link-type="idl" href="#dom-publickeycredentialrequestoptions-allowcredentials" id="ref-for-dom-publickeycredentialrequestoptions-allowcredentials③⑥">allowCredentials</a></code> argument risks leaking personally identifying information, -since it exposes the user’s <a data-link-type="dfn" href="#credential-id" id="ref-for-credential-id⑤④">credential IDs</a> to an unauthenticated caller. <a data-link-type="dfn" href="#credential-id" id="ref-for-credential-id⑤⑤">Credential IDs</a> are designed to not be correlatable between <a data-link-type="dfn" href="#relying-party" id="ref-for-relying-party④②⑧">Relying Parties</a>, +since it exposes the user’s <a data-link-type="dfn" href="#credential-id" id="ref-for-credential-id⑤④">credential IDs</a> to an unauthenticated caller. <a data-link-type="dfn" href="#credential-id" id="ref-for-credential-id⑤⑤">Credential IDs</a> are designed to not be correlatable between <a data-link-type="dfn" href="#relying-party" id="ref-for-relying-party④②⑨">Relying Parties</a>, but the length of a <a data-link-type="dfn" href="#credential-id" id="ref-for-credential-id⑤⑥">credential ID</a> might be a hint as to what type of <a data-link-type="dfn" href="#authenticator" id="ref-for-authenticator③④①">authenticator</a> created it. -It is likely that a user will use the same username and set of <a data-link-type="dfn" href="#authenticator" id="ref-for-authenticator③④②">authenticators</a> for several <a data-link-type="dfn" href="#relying-party" id="ref-for-relying-party④②⑨">Relying Parties</a>, +It is likely that a user will use the same username and set of <a data-link-type="dfn" href="#authenticator" id="ref-for-authenticator③④②">authenticators</a> for several <a data-link-type="dfn" href="#relying-party" id="ref-for-relying-party④③⓪">Relying Parties</a>, so the number of <a data-link-type="dfn" href="#credential-id" id="ref-for-credential-id⑤⑦">credential IDs</a> in <code class="idl"><a data-link-type="idl" href="#dom-publickeycredentialrequestoptions-allowcredentials" id="ref-for-dom-publickeycredentialrequestoptions-allowcredentials③⑦">allowCredentials</a></code> and their lengths might serve as a global correlation handle to de-anonymize the user. Knowing a user’s <a data-link-type="dfn" href="#credential-id" id="ref-for-credential-id⑤⑧">credential IDs</a> also makes it possible to confirm guesses about the user’s identity given only momentary physical access to one of the user’s <a data-link-type="dfn" href="#authenticator" id="ref-for-authenticator③④③">authenticators</a>.</p> - <p>In order to prevent such information leakage, the <a data-link-type="dfn" href="#relying-party" id="ref-for-relying-party④③⓪">Relying Party</a> could for example:</p> + <p>In order to prevent such information leakage, the <a data-link-type="dfn" href="#relying-party" id="ref-for-relying-party④③①">Relying Party</a> could for example:</p> <ul> <li data-md> <p>Perform a separate authentication step, @@ -9030,15 +9033,15 @@ <h4 class="heading settled" data-level="14.6.3" id="sctn-credential-id-privacy-l </ul> <p>If the above prevention measures are not available, i.e., if <code class="idl"><a data-link-type="idl" href="#dom-publickeycredentialrequestoptions-allowcredentials" id="ref-for-dom-publickeycredentialrequestoptions-allowcredentials③⑨">allowCredentials</a></code> needs to be exposed given only a username, -the <a data-link-type="dfn" href="#relying-party" id="ref-for-relying-party④③①">Relying Party</a> could mitigate the privacy leak using the same approach of returning imaginary <a data-link-type="dfn" href="#credential-id" id="ref-for-credential-id⑥⓪">credential IDs</a> as discussed in <a href="#sctn-username-enumeration">§ 14.6.2 Username Enumeration</a>.</p> +the <a data-link-type="dfn" href="#relying-party" id="ref-for-relying-party④③②">Relying Party</a> could mitigate the privacy leak using the same approach of returning imaginary <a data-link-type="dfn" href="#credential-id" id="ref-for-credential-id⑥⓪">credential IDs</a> as discussed in <a href="#sctn-username-enumeration">§ 14.6.2 Username Enumeration</a>.</p> <p>When <a data-link-type="dfn" href="#signal-methods" id="ref-for-signal-methods⑥">signalling</a> that a <a data-link-type="dfn" href="#credential-id" id="ref-for-credential-id⑥①">credential id</a> was not recognized, the <a data-link-type="dfn" href="#webauthn-relying-party" id="ref-for-webauthn-relying-party⑦⑥">WebAuthn Relying Party</a> SHOULD use the <code class="idl"><a data-link-type="idl" href="#dom-publickeycredential-signalunknowncredential" id="ref-for-dom-publickeycredential-signalunknowncredential⑤">signalUnknownCredential(options)</a></code> method instead of the <code class="idl"><a data-link-type="idl" href="#dom-publickeycredential-signalallacceptedcredentials" id="ref-for-dom-publickeycredential-signalallacceptedcredentials⑦">signalAllAcceptedCredentials(options)</a></code> method to avoid exposing <a data-link-type="dfn" href="#credential-id" id="ref-for-credential-id⑥②">credential IDs</a> to an unauthenticated caller.</p> <h2 class="heading settled" data-level="15" id="sctn-accessiblility-considerations"><span class="secno">15. </span><span class="content">Accessibility Considerations</span><a class="self-link" href="#sctn-accessiblility-considerations"></a></h2> <p><a data-link-type="dfn" href="#user-verification" id="ref-for-user-verification⑥⑤">User verification</a>-capable <a data-link-type="dfn" href="#authenticator" id="ref-for-authenticator③④④">authenticators</a>, whether <a data-link-type="dfn" href="#roaming-authenticators" id="ref-for-roaming-authenticators②⑥">roaming</a> or <a data-link-type="dfn" href="#platform-authenticators" id="ref-for-platform-authenticators③⑥">platform</a>, should offer users more than one user verification method. For example, both fingerprint sensing and PIN entry. This allows for fallback to other user verification means if the selected one is not working for some reason. Note that in the case of <a data-link-type="dfn" href="#roaming-authenticators" id="ref-for-roaming-authenticators②⑦">roaming authenticators</a>, the authenticator and platform might work together to provide a user verification method such as PIN entry <a data-link-type="biblio" href="#biblio-fido-ctap" title="Client to Authenticator Protocol (CTAP)">[FIDO-CTAP]</a>.</p> - <p><a data-link-type="dfn" href="#relying-party" id="ref-for-relying-party④③②">Relying Parties</a>, at <a data-link-type="dfn" href="#registration" id="ref-for-registration②⑦">registration</a> time, SHOULD provide affordances for users to complete future <a data-link-type="dfn" href="#authorization-gesture" id="ref-for-authorization-gesture②⑨">authorization gestures</a> correctly. This could involve naming the authenticator, choosing a picture to associate with the device, or entering freeform text instructions (e.g., as a reminder-to-self).</p> + <p><a data-link-type="dfn" href="#relying-party" id="ref-for-relying-party④③③">Relying Parties</a>, at <a data-link-type="dfn" href="#registration" id="ref-for-registration②⑦">registration</a> time, SHOULD provide affordances for users to complete future <a data-link-type="dfn" href="#authorization-gesture" id="ref-for-authorization-gesture②⑨">authorization gestures</a> correctly. This could involve naming the authenticator, choosing a picture to associate with the device, or entering freeform text instructions (e.g., as a reminder-to-self).</p> <h3 class="heading settled" data-level="15.1" id="sctn-timeout-recommended-range"><span class="secno">15.1. </span><span class="content">Recommended Range for Ceremony Timeouts</span><a class="self-link" href="#sctn-timeout-recommended-range"></a></h3> - <p><a data-link-type="dfn" href="#ceremony" id="ref-for-ceremony①⑧">Ceremonies</a> relying on timing, e.g., a <a data-link-type="dfn" href="#registration-ceremony" id="ref-for-registration-ceremony②⑦">registration ceremony</a> (see <code class="idl"><a data-link-type="idl" href="#dom-publickeycredentialcreationoptions-timeout" id="ref-for-dom-publickeycredentialcreationoptions-timeout④">timeout</a></code>) or an <a data-link-type="dfn" href="#authentication-ceremony" id="ref-for-authentication-ceremony⑤⑤">authentication ceremony</a> (see <code class="idl"><a data-link-type="idl" href="#dom-publickeycredentialrequestoptions-timeout" id="ref-for-dom-publickeycredentialrequestoptions-timeout④">timeout</a></code>), ought to follow <a data-link-type="biblio" href="#biblio-wcag21" title="Web Content Accessibility Guidelines (WCAG) 2.1">[WCAG21]</a>'s <a href="https://www.w3.org/TR/WCAG21/#enough-time">Guideline 2.2 Enough Time</a>. If a <a data-link-type="dfn" href="#client-platform" id="ref-for-client-platform⑤⑧">client platform</a> determines that a <a data-link-type="dfn" href="#relying-party" id="ref-for-relying-party④③③">Relying Party</a>-supplied timeout does not appropriately adhere to the latter <a data-link-type="biblio" href="#biblio-wcag21" title="Web Content Accessibility Guidelines (WCAG) 2.1">[WCAG21]</a> guidelines, then the <a data-link-type="dfn" href="#client-platform" id="ref-for-client-platform⑤⑨">client platform</a> MAY adjust the timeout accordingly.</p> + <p><a data-link-type="dfn" href="#ceremony" id="ref-for-ceremony①⑧">Ceremonies</a> relying on timing, e.g., a <a data-link-type="dfn" href="#registration-ceremony" id="ref-for-registration-ceremony②⑦">registration ceremony</a> (see <code class="idl"><a data-link-type="idl" href="#dom-publickeycredentialcreationoptions-timeout" id="ref-for-dom-publickeycredentialcreationoptions-timeout④">timeout</a></code>) or an <a data-link-type="dfn" href="#authentication-ceremony" id="ref-for-authentication-ceremony⑤⑤">authentication ceremony</a> (see <code class="idl"><a data-link-type="idl" href="#dom-publickeycredentialrequestoptions-timeout" id="ref-for-dom-publickeycredentialrequestoptions-timeout④">timeout</a></code>), ought to follow <a data-link-type="biblio" href="#biblio-wcag21" title="Web Content Accessibility Guidelines (WCAG) 2.1">[WCAG21]</a>'s <a href="https://www.w3.org/TR/WCAG21/#enough-time">Guideline 2.2 Enough Time</a>. If a <a data-link-type="dfn" href="#client-platform" id="ref-for-client-platform⑤⑧">client platform</a> determines that a <a data-link-type="dfn" href="#relying-party" id="ref-for-relying-party④③④">Relying Party</a>-supplied timeout does not appropriately adhere to the latter <a data-link-type="biblio" href="#biblio-wcag21" title="Web Content Accessibility Guidelines (WCAG) 2.1">[WCAG21]</a> guidelines, then the <a data-link-type="dfn" href="#client-platform" id="ref-for-client-platform⑤⑨">client platform</a> MAY adjust the timeout accordingly.</p> <p>The <dfn class="dfn-paneled" data-dfn-type="dfn" data-noexport id="recommended-range-and-default-for-a-webauthn-ceremony-timeout">recommended range and default for a WebAuthn ceremony timeout</dfn> is as follows:</p> <ul> <li data-md> @@ -11390,7 +11393,7 @@ <h2 class="no-num no-ref heading settled" id="issues-index"><span class="content "cece9985": {"dfnID":"cece9985","dfnText":"kty","external":true,"refSections":[{"refs":[{"id":"ref-for-name-cose-key-common-parameters"}],"title":"5.2.1.1. Easily accessing credential data"}],"url":"https://tools.ietf.org/html/rfc9052#name-cose-key-common-parameters"}, "ceremony": {"dfnID":"ceremony","dfnText":"Ceremony","external":false,"refSections":[{"refs":[{"id":"ref-for-ceremony"}],"title":"1. Introduction"},{"refs":[{"id":"ref-for-ceremony\u2460"},{"id":"ref-for-ceremony\u2461"},{"id":"ref-for-ceremony\u2462"},{"id":"ref-for-ceremony\u2463"},{"id":"ref-for-ceremony\u2464"},{"id":"ref-for-ceremony\u2465"},{"id":"ref-for-ceremony\u2466"},{"id":"ref-for-ceremony\u2467"},{"id":"ref-for-ceremony\u2468"}],"title":"4. Terminology"},{"refs":[{"id":"ref-for-ceremony\u2460\u24ea"}],"title":"5.1. PublicKeyCredential Interface"},{"refs":[{"id":"ref-for-ceremony\u2460\u2460"}],"title":"5.8.6. User Verification Requirement Enumeration (enum UserVerificationRequirement)"},{"refs":[{"id":"ref-for-ceremony\u2460\u2461"}],"title":"7. WebAuthn Relying Party Operations"},{"refs":[{"id":"ref-for-ceremony\u2460\u2462"}],"title":"13. Security Considerations"},{"refs":[{"id":"ref-for-ceremony\u2460\u2463"}],"title":"14.5.1. Registration Ceremony Privacy"},{"refs":[{"id":"ref-for-ceremony\u2460\u2464"}],"title":"14.5.2. Authentication Ceremony Privacy"},{"refs":[{"id":"ref-for-ceremony\u2460\u2465"},{"id":"ref-for-ceremony\u2460\u2466"}],"title":"14.6.2. Username Enumeration"},{"refs":[{"id":"ref-for-ceremony\u2460\u2467"}],"title":"15.1. Recommended Range for Ceremony Timeouts"}],"url":"#ceremony"}, "cfc67fdc": {"dfnID":"cfc67fdc","dfnText":"empty host","external":true,"refSections":[{"refs":[{"id":"ref-for-empty-host"}],"title":"5.1.3. Create a New Credential - PublicKeyCredential\u2019s [[Create]](origin, options, sameOriginWithAncestors) Method"},{"refs":[{"id":"ref-for-empty-host\u2460"}],"title":"5.1.4.1. PublicKeyCredential\u2019s [[DiscoverFromExternalSource]](origin, options, sameOriginWithAncestors) Method"}],"url":"https://url.spec.whatwg.org/#empty-host"}, -"client": {"dfnID":"client","dfnText":"Client","external":false,"refSections":[{"refs":[{"id":"ref-for-client"}],"title":"1.1. Specification Roadmap"},{"refs":[{"id":"ref-for-client\u2460"},{"id":"ref-for-client\u2461"}],"title":"1.3.1. Registration"},{"refs":[{"id":"ref-for-client\u2462"},{"id":"ref-for-client\u2463"},{"id":"ref-for-client\u2464"}],"title":"1.3.3. Authentication"},{"refs":[{"id":"ref-for-client\u2465"},{"id":"ref-for-client\u2466"},{"id":"ref-for-client\u2467"},{"id":"ref-for-client\u2468"},{"id":"ref-for-client\u2460\u24ea"},{"id":"ref-for-client\u2460\u2460"},{"id":"ref-for-client\u2460\u2461"},{"id":"ref-for-client\u2460\u2462"},{"id":"ref-for-client\u2460\u2463"}],"title":"4. Terminology"},{"refs":[{"id":"ref-for-client\u2460\u2464"}],"title":"5.1. PublicKeyCredential Interface"},{"refs":[{"id":"ref-for-client\u2460\u2465"},{"id":"ref-for-client\u2460\u2466"},{"id":"ref-for-client\u2460\u2467"},{"id":"ref-for-client\u2460\u2468"},{"id":"ref-for-client\u2461\u24ea"},{"id":"ref-for-client\u2461\u2460"},{"id":"ref-for-client\u2461\u2461"}],"title":"5.1.3. Create a New Credential - PublicKeyCredential\u2019s [[Create]](origin, options, sameOriginWithAncestors) Method"},{"refs":[{"id":"ref-for-client\u2461\u2462"}],"title":"5.1.3.1. Create Request Exceptions"},{"refs":[{"id":"ref-for-client\u2461\u2463"}],"title":"5.1.4. Use an Existing Credential to Make an Assertion - PublicKeyCredential\u2019s [[Get]](options) Method"},{"refs":[{"id":"ref-for-client\u2461\u2464"},{"id":"ref-for-client\u2461\u2465"},{"id":"ref-for-client\u2461\u2466"},{"id":"ref-for-client\u2461\u2467"}],"title":"5.1.4.1. PublicKeyCredential\u2019s [[DiscoverFromExternalSource]](origin, options, sameOriginWithAncestors) Method"},{"refs":[{"id":"ref-for-client\u2461\u2468"}],"title":"5.1.4.2. Issuing a Credential Request to an Authenticator"},{"refs":[{"id":"ref-for-client\u2462\u24ea"}],"title":"5.1.4.3. Get Request Exceptions"},{"refs":[{"id":"ref-for-client\u2462\u2460"}],"title":"5.1.6. Availability of User-Verifying Platform Authenticator - PublicKeyCredential\u2019s isUserVerifyingPlatformAuthenticatorAvailable() Method"},{"refs":[{"id":"ref-for-client\u2462\u2461"},{"id":"ref-for-client\u2462\u2462"}],"title":"5.1.7. Availability of client capabilities - PublicKeyCredential\u2019s getClientCapabilities() Method"},{"refs":[{"id":"ref-for-client\u2462\u2463"},{"id":"ref-for-client\u2462\u2464"},{"id":"ref-for-client\u2462\u2465"}],"title":"5.1.8. Deserialize Registration ceremony options - PublicKeyCredential\u2019s parseCreationOptionsFromJSON() Method"},{"refs":[{"id":"ref-for-client\u2462\u2466"},{"id":"ref-for-client\u2462\u2467"},{"id":"ref-for-client\u2462\u2468"}],"title":"5.1.9. Deserialize Authentication ceremony options - PublicKeyCredential\u2019s parseRequestOptionsFromJSON() Methods"},{"refs":[{"id":"ref-for-client\u2463\u24ea"},{"id":"ref-for-client\u2463\u2460"}],"title":"5.1.10. Signal Credential Changes to the Authenticator - PublicKeyCredential\u2019s signal methods"},{"refs":[{"id":"ref-for-client\u2463\u2461"}],"title":"5.1.10.2. signalUnknownCredential(options)"},{"refs":[{"id":"ref-for-client\u2463\u2462"}],"title":"5.1.10.3. signalAllAcceptedCredentials(options)"},{"refs":[{"id":"ref-for-client\u2463\u2463"}],"title":"5.1.10.4. signalCurrentUserDetails(options)"},{"refs":[{"id":"ref-for-client\u2463\u2464"},{"id":"ref-for-client\u2463\u2465"},{"id":"ref-for-client\u2463\u2466"},{"id":"ref-for-client\u2463\u2467"},{"id":"ref-for-client\u2463\u2468"}],"title":"5.4. Options for Credential Creation (dictionary PublicKeyCredentialCreationOptions)"},{"refs":[{"id":"ref-for-client\u2464\u24ea"},{"id":"ref-for-client\u2464\u2460"},{"id":"ref-for-client\u2464\u2461"},{"id":"ref-for-client\u2464\u2462"}],"title":"5.4.1. Public Key Entity Description (dictionary PublicKeyCredentialEntity)"},{"refs":[{"id":"ref-for-client\u2464\u2463"},{"id":"ref-for-client\u2464\u2464"}],"title":"5.4.3. User Account Parameters for Credential Generation (dictionary PublicKeyCredentialUserEntity)"},{"refs":[{"id":"ref-for-client\u2464\u2465"},{"id":"ref-for-client\u2464\u2466"}],"title":"5.4.5. Authenticator Attachment Enumeration (enum AuthenticatorAttachment)"},{"refs":[{"id":"ref-for-client\u2464\u2467"},{"id":"ref-for-client\u2464\u2468"},{"id":"ref-for-client\u2465\u24ea"},{"id":"ref-for-client\u2465\u2460"}],"title":"5.4.6. Resident Key Requirement Enumeration (enum ResidentKeyRequirement)"},{"refs":[{"id":"ref-for-client\u2465\u2461"},{"id":"ref-for-client\u2465\u2462"},{"id":"ref-for-client\u2465\u2463"}],"title":"5.4.7. Attestation Conveyance Preference Enumeration (enum AttestationConveyancePreference)"},{"refs":[{"id":"ref-for-client\u2465\u2464"},{"id":"ref-for-client\u2465\u2465"},{"id":"ref-for-client\u2465\u2466"},{"id":"ref-for-client\u2465\u2467"},{"id":"ref-for-client\u2465\u2468"},{"id":"ref-for-client\u2466\u24ea"}],"title":"5.5. Options for Assertion Generation (dictionary PublicKeyCredentialRequestOptions)"},{"refs":[{"id":"ref-for-client\u2466\u2460"}],"title":"5.7.3. Authentication Extensions Authenticator Inputs (CDDL type AuthenticationExtensionsAuthenticatorInputs)"},{"refs":[{"id":"ref-for-client\u2466\u2461"}],"title":"5.8.1. Client Data Used in WebAuthn Signatures (dictionary CollectedClientData)"},{"refs":[{"id":"ref-for-client\u2466\u2462"},{"id":"ref-for-client\u2466\u2463"}],"title":"5.8.3. Credential Descriptor (dictionary PublicKeyCredentialDescriptor)"},{"refs":[{"id":"ref-for-client\u2466\u2464"}],"title":"5.8.4. Authenticator Transport Enumeration (enum AuthenticatorTransport)"},{"refs":[{"id":"ref-for-client\u2466\u2465"}],"title":"5.8.6. User Verification Requirement Enumeration (enum UserVerificationRequirement)"},{"refs":[{"id":"ref-for-client\u2466\u2466"},{"id":"ref-for-client\u2466\u2467"}],"title":"6. WebAuthn Authenticator Model"},{"refs":[{"id":"ref-for-client\u2466\u2468"},{"id":"ref-for-client\u2467\u24ea"}],"title":"6.1. Authenticator Data"},{"refs":[{"id":"ref-for-client\u2467\u2460"}],"title":"6.2. Authenticator Taxonomy"},{"refs":[{"id":"ref-for-client\u2467\u2461"},{"id":"ref-for-client\u2467\u2462"},{"id":"ref-for-client\u2467\u2463"},{"id":"ref-for-client\u2467\u2464"},{"id":"ref-for-client\u2467\u2465"}],"title":"6.2.1. Authenticator Attachment Modality"},{"refs":[{"id":"ref-for-client\u2467\u2466"}],"title":"6.2.2. Credential Storage Modality"},{"refs":[{"id":"ref-for-client\u2467\u2467"},{"id":"ref-for-client\u2467\u2468"},{"id":"ref-for-client\u2468\u24ea"},{"id":"ref-for-client\u2468\u2460"}],"title":"6.3.2. The authenticatorMakeCredential Operation"},{"refs":[{"id":"ref-for-client\u2468\u2461"}],"title":"6.3.5. The silentCredentialDiscovery operation"},{"refs":[{"id":"ref-for-client\u2468\u2462"}],"title":"6.4.1. String Truncation"},{"refs":[{"id":"ref-for-client\u2468\u2463"}],"title":"6.4.1.2. String Truncation by Authenticators"},{"refs":[{"id":"ref-for-client\u2468\u2464"}],"title":"7.1. Registering a New Credential"},{"refs":[{"id":"ref-for-client\u2468\u2465"}],"title":"7.2. Verifying an Authentication Assertion"},{"refs":[{"id":"ref-for-client\u2468\u2466"}],"title":"8.6. FIDO U2F Attestation Statement Format"},{"refs":[{"id":"ref-for-client\u2468\u2467"},{"id":"ref-for-client\u2468\u2468"},{"id":"ref-for-client\u2460\u24ea\u24ea"}],"title":"9. WebAuthn Extensions"},{"refs":[{"id":"ref-for-client\u2460\u24ea\u2460"}],"title":"9.4. Client Extension Processing"},{"refs":[{"id":"ref-for-client\u2460\u24ea\u2461"},{"id":"ref-for-client\u2460\u24ea\u2462"},{"id":"ref-for-client\u2460\u24ea\u2463"},{"id":"ref-for-client\u2460\u24ea\u2464"},{"id":"ref-for-client\u2460\u24ea\u2465"}],"title":"10.1.3. Credential Properties Extension (credProps)"},{"refs":[{"id":"ref-for-client\u2460\u24ea\u2466"}],"title":"12.4. WebAuthn Extension Identifier Registrations"},{"refs":[{"id":"ref-for-client\u2460\u24ea\u2467"}],"title":"13. Security Considerations"},{"refs":[{"id":"ref-for-client\u2460\u24ea\u2468"},{"id":"ref-for-client\u2460\u2460\u24ea"},{"id":"ref-for-client\u2460\u2460\u2460"},{"id":"ref-for-client\u2460\u2460\u2461"},{"id":"ref-for-client\u2460\u2460\u2462"},{"id":"ref-for-client\u2460\u2460\u2463"},{"id":"ref-for-client\u2460\u2460\u2464"},{"id":"ref-for-client\u2460\u2460\u2465"}],"title":"13.2. Physical Proximity between Client and Authenticator"},{"refs":[{"id":"ref-for-client\u2460\u2460\u2466"}],"title":"14. Privacy Considerations"},{"refs":[{"id":"ref-for-client\u2460\u2460\u2467"},{"id":"ref-for-client\u2460\u2460\u2468"},{"id":"ref-for-client\u2460\u2461\u24ea"},{"id":"ref-for-client\u2460\u2461\u2460"},{"id":"ref-for-client\u2460\u2461\u2461"}],"title":"14.1. De-anonymization Prevention Measures"},{"refs":[{"id":"ref-for-client\u2460\u2461\u2462"},{"id":"ref-for-client\u2460\u2461\u2463"},{"id":"ref-for-client\u2460\u2461\u2464"}],"title":"14.2. Anonymous, Scoped, Non-correlatable Public Key Credentials"},{"refs":[{"id":"ref-for-client\u2460\u2461\u2465"}],"title":"14.3. Authenticator-local Biometric Recognition"},{"refs":[{"id":"ref-for-client\u2460\u2461\u2466"},{"id":"ref-for-client\u2460\u2461\u2467"}],"title":"14.4.2. Privacy of personally identifying information Stored in Authenticators"},{"refs":[{"id":"ref-for-client\u2460\u2461\u2468"}],"title":"14.5. Privacy considerations for clients"},{"refs":[{"id":"ref-for-client\u2460\u2462\u24ea"}],"title":"14.5.2. Authentication Ceremony Privacy"}],"url":"#client"}, +"client": {"dfnID":"client","dfnText":"Client","external":false,"refSections":[{"refs":[{"id":"ref-for-client"}],"title":"1.1. Specification Roadmap"},{"refs":[{"id":"ref-for-client\u2460"},{"id":"ref-for-client\u2461"}],"title":"1.3.1. Registration"},{"refs":[{"id":"ref-for-client\u2462"},{"id":"ref-for-client\u2463"},{"id":"ref-for-client\u2464"}],"title":"1.3.3. Authentication"},{"refs":[{"id":"ref-for-client\u2465"},{"id":"ref-for-client\u2466"},{"id":"ref-for-client\u2467"},{"id":"ref-for-client\u2468"},{"id":"ref-for-client\u2460\u24ea"},{"id":"ref-for-client\u2460\u2460"},{"id":"ref-for-client\u2460\u2461"},{"id":"ref-for-client\u2460\u2462"},{"id":"ref-for-client\u2460\u2463"}],"title":"4. Terminology"},{"refs":[{"id":"ref-for-client\u2460\u2464"}],"title":"5.1. PublicKeyCredential Interface"},{"refs":[{"id":"ref-for-client\u2460\u2465"},{"id":"ref-for-client\u2460\u2466"},{"id":"ref-for-client\u2460\u2467"},{"id":"ref-for-client\u2460\u2468"},{"id":"ref-for-client\u2461\u24ea"},{"id":"ref-for-client\u2461\u2460"},{"id":"ref-for-client\u2461\u2461"}],"title":"5.1.3. Create a New Credential - PublicKeyCredential\u2019s [[Create]](origin, options, sameOriginWithAncestors) Method"},{"refs":[{"id":"ref-for-client\u2461\u2462"}],"title":"5.1.3.1. Create Request Exceptions"},{"refs":[{"id":"ref-for-client\u2461\u2463"}],"title":"5.1.4. Use an Existing Credential to Make an Assertion - PublicKeyCredential\u2019s [[Get]](options) Method"},{"refs":[{"id":"ref-for-client\u2461\u2464"},{"id":"ref-for-client\u2461\u2465"},{"id":"ref-for-client\u2461\u2466"},{"id":"ref-for-client\u2461\u2467"}],"title":"5.1.4.1. PublicKeyCredential\u2019s [[DiscoverFromExternalSource]](origin, options, sameOriginWithAncestors) Method"},{"refs":[{"id":"ref-for-client\u2461\u2468"}],"title":"5.1.4.2. Issuing a Credential Request to an Authenticator"},{"refs":[{"id":"ref-for-client\u2462\u24ea"}],"title":"5.1.4.3. Get Request Exceptions"},{"refs":[{"id":"ref-for-client\u2462\u2460"}],"title":"5.1.6. Availability of User-Verifying Platform Authenticator - PublicKeyCredential\u2019s isUserVerifyingPlatformAuthenticatorAvailable() Method"},{"refs":[{"id":"ref-for-client\u2462\u2461"},{"id":"ref-for-client\u2462\u2462"}],"title":"5.1.7. Availability of client capabilities - PublicKeyCredential\u2019s getClientCapabilities() Method"},{"refs":[{"id":"ref-for-client\u2462\u2463"},{"id":"ref-for-client\u2462\u2464"},{"id":"ref-for-client\u2462\u2465"}],"title":"5.1.8. Deserialize Registration ceremony options - PublicKeyCredential\u2019s parseCreationOptionsFromJSON() Method"},{"refs":[{"id":"ref-for-client\u2462\u2466"},{"id":"ref-for-client\u2462\u2467"},{"id":"ref-for-client\u2462\u2468"}],"title":"5.1.9. Deserialize Authentication ceremony options - PublicKeyCredential\u2019s parseRequestOptionsFromJSON() Methods"},{"refs":[{"id":"ref-for-client\u2463\u24ea"},{"id":"ref-for-client\u2463\u2460"}],"title":"5.1.10. Signal Credential Changes to the Authenticator - PublicKeyCredential\u2019s signal methods"},{"refs":[{"id":"ref-for-client\u2463\u2461"}],"title":"5.1.10.2. signalUnknownCredential(options)"},{"refs":[{"id":"ref-for-client\u2463\u2462"}],"title":"5.1.10.3. signalAllAcceptedCredentials(options)"},{"refs":[{"id":"ref-for-client\u2463\u2463"}],"title":"5.1.10.4. signalCurrentUserDetails(options)"},{"refs":[{"id":"ref-for-client\u2463\u2464"},{"id":"ref-for-client\u2463\u2465"},{"id":"ref-for-client\u2463\u2466"},{"id":"ref-for-client\u2463\u2467"},{"id":"ref-for-client\u2463\u2468"}],"title":"5.4. Options for Credential Creation (dictionary PublicKeyCredentialCreationOptions)"},{"refs":[{"id":"ref-for-client\u2464\u24ea"},{"id":"ref-for-client\u2464\u2460"},{"id":"ref-for-client\u2464\u2461"},{"id":"ref-for-client\u2464\u2462"},{"id":"ref-for-client\u2464\u2463"}],"title":"5.4.1. Public Key Entity Description (dictionary PublicKeyCredentialEntity)"},{"refs":[{"id":"ref-for-client\u2464\u2464"},{"id":"ref-for-client\u2464\u2465"}],"title":"5.4.3. User Account Parameters for Credential Generation (dictionary PublicKeyCredentialUserEntity)"},{"refs":[{"id":"ref-for-client\u2464\u2466"},{"id":"ref-for-client\u2464\u2467"}],"title":"5.4.5. Authenticator Attachment Enumeration (enum AuthenticatorAttachment)"},{"refs":[{"id":"ref-for-client\u2464\u2468"},{"id":"ref-for-client\u2465\u24ea"},{"id":"ref-for-client\u2465\u2460"},{"id":"ref-for-client\u2465\u2461"}],"title":"5.4.6. Resident Key Requirement Enumeration (enum ResidentKeyRequirement)"},{"refs":[{"id":"ref-for-client\u2465\u2462"},{"id":"ref-for-client\u2465\u2463"},{"id":"ref-for-client\u2465\u2464"}],"title":"5.4.7. Attestation Conveyance Preference Enumeration (enum AttestationConveyancePreference)"},{"refs":[{"id":"ref-for-client\u2465\u2465"},{"id":"ref-for-client\u2465\u2466"},{"id":"ref-for-client\u2465\u2467"},{"id":"ref-for-client\u2465\u2468"},{"id":"ref-for-client\u2466\u24ea"},{"id":"ref-for-client\u2466\u2460"}],"title":"5.5. Options for Assertion Generation (dictionary PublicKeyCredentialRequestOptions)"},{"refs":[{"id":"ref-for-client\u2466\u2461"}],"title":"5.7.3. Authentication Extensions Authenticator Inputs (CDDL type AuthenticationExtensionsAuthenticatorInputs)"},{"refs":[{"id":"ref-for-client\u2466\u2462"}],"title":"5.8.1. Client Data Used in WebAuthn Signatures (dictionary CollectedClientData)"},{"refs":[{"id":"ref-for-client\u2466\u2463"},{"id":"ref-for-client\u2466\u2464"}],"title":"5.8.3. Credential Descriptor (dictionary PublicKeyCredentialDescriptor)"},{"refs":[{"id":"ref-for-client\u2466\u2465"}],"title":"5.8.4. Authenticator Transport Enumeration (enum AuthenticatorTransport)"},{"refs":[{"id":"ref-for-client\u2466\u2466"}],"title":"5.8.6. User Verification Requirement Enumeration (enum UserVerificationRequirement)"},{"refs":[{"id":"ref-for-client\u2466\u2467"},{"id":"ref-for-client\u2466\u2468"}],"title":"6. WebAuthn Authenticator Model"},{"refs":[{"id":"ref-for-client\u2467\u24ea"},{"id":"ref-for-client\u2467\u2460"}],"title":"6.1. Authenticator Data"},{"refs":[{"id":"ref-for-client\u2467\u2461"}],"title":"6.2. Authenticator Taxonomy"},{"refs":[{"id":"ref-for-client\u2467\u2462"},{"id":"ref-for-client\u2467\u2463"},{"id":"ref-for-client\u2467\u2464"},{"id":"ref-for-client\u2467\u2465"},{"id":"ref-for-client\u2467\u2466"}],"title":"6.2.1. Authenticator Attachment Modality"},{"refs":[{"id":"ref-for-client\u2467\u2467"}],"title":"6.2.2. Credential Storage Modality"},{"refs":[{"id":"ref-for-client\u2467\u2468"},{"id":"ref-for-client\u2468\u24ea"},{"id":"ref-for-client\u2468\u2460"},{"id":"ref-for-client\u2468\u2461"}],"title":"6.3.2. The authenticatorMakeCredential Operation"},{"refs":[{"id":"ref-for-client\u2468\u2462"}],"title":"6.3.5. The silentCredentialDiscovery operation"},{"refs":[{"id":"ref-for-client\u2468\u2463"}],"title":"6.4.1. String Truncation"},{"refs":[{"id":"ref-for-client\u2468\u2464"}],"title":"6.4.1.2. String Truncation by Authenticators"},{"refs":[{"id":"ref-for-client\u2468\u2465"}],"title":"7.1. Registering a New Credential"},{"refs":[{"id":"ref-for-client\u2468\u2466"}],"title":"7.2. Verifying an Authentication Assertion"},{"refs":[{"id":"ref-for-client\u2468\u2467"}],"title":"8.6. FIDO U2F Attestation Statement Format"},{"refs":[{"id":"ref-for-client\u2468\u2468"},{"id":"ref-for-client\u2460\u24ea\u24ea"},{"id":"ref-for-client\u2460\u24ea\u2460"}],"title":"9. WebAuthn Extensions"},{"refs":[{"id":"ref-for-client\u2460\u24ea\u2461"}],"title":"9.4. Client Extension Processing"},{"refs":[{"id":"ref-for-client\u2460\u24ea\u2462"},{"id":"ref-for-client\u2460\u24ea\u2463"},{"id":"ref-for-client\u2460\u24ea\u2464"},{"id":"ref-for-client\u2460\u24ea\u2465"},{"id":"ref-for-client\u2460\u24ea\u2466"}],"title":"10.1.3. Credential Properties Extension (credProps)"},{"refs":[{"id":"ref-for-client\u2460\u24ea\u2467"}],"title":"12.4. WebAuthn Extension Identifier Registrations"},{"refs":[{"id":"ref-for-client\u2460\u24ea\u2468"}],"title":"13. Security Considerations"},{"refs":[{"id":"ref-for-client\u2460\u2460\u24ea"},{"id":"ref-for-client\u2460\u2460\u2460"},{"id":"ref-for-client\u2460\u2460\u2461"},{"id":"ref-for-client\u2460\u2460\u2462"},{"id":"ref-for-client\u2460\u2460\u2463"},{"id":"ref-for-client\u2460\u2460\u2464"},{"id":"ref-for-client\u2460\u2460\u2465"},{"id":"ref-for-client\u2460\u2460\u2466"}],"title":"13.2. Physical Proximity between Client and Authenticator"},{"refs":[{"id":"ref-for-client\u2460\u2460\u2467"}],"title":"14. Privacy Considerations"},{"refs":[{"id":"ref-for-client\u2460\u2460\u2468"},{"id":"ref-for-client\u2460\u2461\u24ea"},{"id":"ref-for-client\u2460\u2461\u2460"},{"id":"ref-for-client\u2460\u2461\u2461"},{"id":"ref-for-client\u2460\u2461\u2462"}],"title":"14.1. De-anonymization Prevention Measures"},{"refs":[{"id":"ref-for-client\u2460\u2461\u2463"},{"id":"ref-for-client\u2460\u2461\u2464"},{"id":"ref-for-client\u2460\u2461\u2465"}],"title":"14.2. Anonymous, Scoped, Non-correlatable Public Key Credentials"},{"refs":[{"id":"ref-for-client\u2460\u2461\u2466"}],"title":"14.3. Authenticator-local Biometric Recognition"},{"refs":[{"id":"ref-for-client\u2460\u2461\u2467"},{"id":"ref-for-client\u2460\u2461\u2468"}],"title":"14.4.2. Privacy of personally identifying information Stored in Authenticators"},{"refs":[{"id":"ref-for-client\u2460\u2462\u24ea"}],"title":"14.5. Privacy considerations for clients"},{"refs":[{"id":"ref-for-client\u2460\u2462\u2460"}],"title":"14.5.2. Authentication Ceremony Privacy"}],"url":"#client"}, "client-data": {"dfnID":"client-data","dfnText":"client data","external":false,"refSections":[{"refs":[{"id":"ref-for-client-data"},{"id":"ref-for-client-data\u2460"}],"title":"5.2. Authenticator Responses (interface AuthenticatorResponse)"},{"refs":[{"id":"ref-for-client-data\u2461"},{"id":"ref-for-client-data\u2462"},{"id":"ref-for-client-data\u2463"},{"id":"ref-for-client-data\u2464"}],"title":"6. WebAuthn Authenticator Model"},{"refs":[{"id":"ref-for-client-data\u2465"},{"id":"ref-for-client-data\u2466"},{"id":"ref-for-client-data\u2467"}],"title":"6.1. Authenticator Data"},{"refs":[{"id":"ref-for-client-data\u2468"}],"title":"7.1. Registering a New Credential"},{"refs":[{"id":"ref-for-client-data\u2460\u24ea"}],"title":"7.2. Verifying an Authentication Assertion"},{"refs":[{"id":"ref-for-client-data\u2460\u2460"}],"title":"8.6. FIDO U2F Attestation Statement Format"},{"refs":[{"id":"ref-for-client-data\u2460\u2461"}],"title":"8.8. Apple Anonymous Attestation Statement Format"},{"refs":[{"id":"ref-for-client-data\u2460\u2462"}],"title":"9. WebAuthn Extensions"},{"refs":[{"id":"ref-for-client-data\u2460\u2463"},{"id":"ref-for-client-data\u2460\u2464"}],"title":"13.4.9. Validating the origin of a credential"}],"url":"#client-data"}, "client-device": {"dfnID":"client-device","dfnText":"Client Device","external":false,"refSections":[{"refs":[{"id":"ref-for-client-device"},{"id":"ref-for-client-device\u2460"},{"id":"ref-for-client-device\u2461"}],"title":"1.2.3. New Device Registration"},{"refs":[{"id":"ref-for-client-device\u2462"}],"title":"1.3. Sample API Usage Scenarios"},{"refs":[{"id":"ref-for-client-device\u2463"},{"id":"ref-for-client-device\u2464"},{"id":"ref-for-client-device\u2465"},{"id":"ref-for-client-device\u2466"},{"id":"ref-for-client-device\u2467"},{"id":"ref-for-client-device\u2468"},{"id":"ref-for-client-device\u2460\u24ea"},{"id":"ref-for-client-device\u2460\u2460"}],"title":"4. Terminology"},{"refs":[{"id":"ref-for-client-device\u2460\u2461"},{"id":"ref-for-client-device\u2460\u2462"}],"title":"5.1.3. Create a New Credential - PublicKeyCredential\u2019s [[Create]](origin, options, sameOriginWithAncestors) Method"},{"refs":[{"id":"ref-for-client-device\u2460\u2463"},{"id":"ref-for-client-device\u2460\u2464"}],"title":"5.1.4.1. PublicKeyCredential\u2019s [[DiscoverFromExternalSource]](origin, options, sameOriginWithAncestors) Method"},{"refs":[{"id":"ref-for-client-device\u2460\u2465"},{"id":"ref-for-client-device\u2460\u2466"}],"title":"5.4.5. Authenticator Attachment Enumeration (enum AuthenticatorAttachment)"},{"refs":[{"id":"ref-for-client-device\u2460\u2467"},{"id":"ref-for-client-device\u2460\u2468"}],"title":"5.8.4. Authenticator Transport Enumeration (enum AuthenticatorTransport)"},{"refs":[{"id":"ref-for-client-device\u2461\u24ea"}],"title":"5.8.8. User-agent Hints Enumeration (enum PublicKeyCredentialHint)"},{"refs":[{"id":"ref-for-client-device\u2461\u2460"},{"id":"ref-for-client-device\u2461\u2461"}],"title":"6. WebAuthn Authenticator Model"},{"refs":[{"id":"ref-for-client-device\u2461\u2462"},{"id":"ref-for-client-device\u2461\u2463"},{"id":"ref-for-client-device\u2461\u2464"},{"id":"ref-for-client-device\u2461\u2465"},{"id":"ref-for-client-device\u2461\u2466"},{"id":"ref-for-client-device\u2461\u2467"},{"id":"ref-for-client-device\u2461\u2468"}],"title":"6.2. Authenticator Taxonomy"},{"refs":[{"id":"ref-for-client-device\u2462\u24ea"},{"id":"ref-for-client-device\u2462\u2460"},{"id":"ref-for-client-device\u2462\u2461"},{"id":"ref-for-client-device\u2462\u2462"},{"id":"ref-for-client-device\u2462\u2463"},{"id":"ref-for-client-device\u2462\u2464"},{"id":"ref-for-client-device\u2462\u2465"},{"id":"ref-for-client-device\u2462\u2466"},{"id":"ref-for-client-device\u2462\u2467"},{"id":"ref-for-client-device\u2462\u2468"},{"id":"ref-for-client-device\u2463\u24ea"},{"id":"ref-for-client-device\u2463\u2460"},{"id":"ref-for-client-device\u2463\u2461"},{"id":"ref-for-client-device\u2463\u2462"}],"title":"6.2.1. Authenticator Attachment Modality"},{"refs":[{"id":"ref-for-client-device\u2463\u2463"}],"title":"6.2.2. Credential Storage Modality"},{"refs":[{"id":"ref-for-client-device\u2463\u2464"},{"id":"ref-for-client-device\u2463\u2465"}],"title":"13.4.6. Credential Loss and Key Mobility"},{"refs":[{"id":"ref-for-client-device\u2463\u2466"},{"id":"ref-for-client-device\u2463\u2467"}],"title":"14.5.3. Privacy Between Operating System Accounts"}],"url":"#client-device"}, "client-extension": {"dfnID":"client-extension","dfnText":"client extension","external":false,"refSections":[{"refs":[{"id":"ref-for-client-extension"}],"title":"5.1.3. Create a New Credential - PublicKeyCredential\u2019s [[Create]](origin, options, sameOriginWithAncestors) Method"},{"refs":[{"id":"ref-for-client-extension\u2460"}],"title":"5.1.4.1. PublicKeyCredential\u2019s [[DiscoverFromExternalSource]](origin, options, sameOriginWithAncestors) Method"},{"refs":[{"id":"ref-for-client-extension\u2461"}],"title":"7.1. Registering a New Credential"},{"refs":[{"id":"ref-for-client-extension\u2462"}],"title":"7.2. Verifying an Authentication Assertion"},{"refs":[{"id":"ref-for-client-extension\u2463"}],"title":"9. WebAuthn Extensions"},{"refs":[{"id":"ref-for-client-extension\u2464"}],"title":"9.2. Defining Extensions"},{"refs":[{"id":"ref-for-client-extension\u2465"}],"title":"9.4. Client Extension Processing"},{"refs":[{"id":"ref-for-client-extension\u2466"}],"title":"10.1. Client Extensions"},{"refs":[{"id":"ref-for-client-extension\u2467"}],"title":"10.1.3. Credential Properties Extension (credProps)"},{"refs":[{"id":"ref-for-client-extension\u2468"},{"id":"ref-for-client-extension\u2460\u24ea"}],"title":"10.1.4. Pseudo-random function extension (prf)"},{"refs":[{"id":"ref-for-client-extension\u2460\u2460"}],"title":"10.1.5. Large blob storage extension (largeBlob)"},{"refs":[{"id":"ref-for-client-extension\u2460\u2461"}],"title":"10.2. Authenticator Extensions"},{"refs":[{"id":"ref-for-client-extension\u2460\u2462"},{"id":"ref-for-client-extension\u2460\u2463"}],"title":"12.4. WebAuthn Extension Identifier Registrations"}],"url":"#client-extension"}, @@ -11761,7 +11764,7 @@ <h2 class="no-num no-ref heading settled" id="issues-index"><span class="content "registration": {"dfnID":"registration","dfnText":"Registration","external":false,"refSections":[{"refs":[{"id":"ref-for-registration"},{"id":"ref-for-registration\u2460"}],"title":"1. Introduction"},{"refs":[{"id":"ref-for-registration\u2461"}],"title":"1.1. Specification Roadmap"},{"refs":[{"id":"ref-for-registration\u2462"},{"id":"ref-for-registration\u2463"},{"id":"ref-for-registration\u2464"},{"id":"ref-for-registration\u2465"},{"id":"ref-for-registration\u2466"},{"id":"ref-for-registration\u2467"},{"id":"ref-for-registration\u2468"},{"id":"ref-for-registration\u2460\u24ea"},{"id":"ref-for-registration\u2460\u2460"},{"id":"ref-for-registration\u2460\u2461"},{"id":"ref-for-registration\u2460\u2462"},{"id":"ref-for-registration\u2460\u2463"},{"id":"ref-for-registration\u2460\u2464"},{"id":"ref-for-registration\u2460\u2465"}],"title":"4. Terminology"},{"refs":[{"id":"ref-for-registration\u2460\u2466"}],"title":"5.4. Options for Credential Creation (dictionary PublicKeyCredentialCreationOptions)"},{"refs":[{"id":"ref-for-registration\u2460\u2467"}],"title":"6.2.3. Authentication Factor Capability"},{"refs":[{"id":"ref-for-registration\u2460\u2468"}],"title":"7.1. Registering a New Credential"},{"refs":[{"id":"ref-for-registration\u2461\u24ea"},{"id":"ref-for-registration\u2461\u2460"}],"title":"10.1.4. Pseudo-random function extension (prf)"},{"refs":[{"id":"ref-for-registration\u2461\u2461"}],"title":"13. Security Considerations"},{"refs":[{"id":"ref-for-registration\u2461\u2462"},{"id":"ref-for-registration\u2461\u2463"}],"title":"13.4.5. Revoked Attestation Certificates"},{"refs":[{"id":"ref-for-registration\u2461\u2464"}],"title":"14.1. De-anonymization Prevention Measures"},{"refs":[{"id":"ref-for-registration\u2461\u2465"}],"title":"14.3. Authenticator-local Biometric Recognition"},{"refs":[{"id":"ref-for-registration\u2461\u2466"}],"title":"15. Accessibility Considerations"},{"refs":[{"id":"ref-for-registration\u2461\u2467"}],"title":"16. Acknowledgements"}],"url":"#registration"}, "registration-ceremony": {"dfnID":"registration-ceremony","dfnText":"Registration Ceremony","external":false,"refSections":[{"refs":[{"id":"ref-for-registration-ceremony"},{"id":"ref-for-registration-ceremony\u2460"},{"id":"ref-for-registration-ceremony\u2461"},{"id":"ref-for-registration-ceremony\u2462"},{"id":"ref-for-registration-ceremony\u2463"}],"title":"4. Terminology"},{"refs":[{"id":"ref-for-registration-ceremony\u2464"}],"title":"5.1. PublicKeyCredential Interface"},{"refs":[{"id":"ref-for-registration-ceremony\u2465"}],"title":"5.4.5. Authenticator Attachment Enumeration (enum AuthenticatorAttachment)"},{"refs":[{"id":"ref-for-registration-ceremony\u2466"}],"title":"5.8.7. Client Capability Enumeration (enum ClientCapability)"},{"refs":[{"id":"ref-for-registration-ceremony\u2467"}],"title":"5.8.8. User-agent Hints Enumeration (enum PublicKeyCredentialHint)"},{"refs":[{"id":"ref-for-registration-ceremony\u2468"}],"title":"6.1. Authenticator Data"},{"refs":[{"id":"ref-for-registration-ceremony\u2460\u24ea"}],"title":"6.1.3. Credential Backup State"},{"refs":[{"id":"ref-for-registration-ceremony\u2460\u2460"}],"title":"7. WebAuthn Relying Party Operations"},{"refs":[{"id":"ref-for-registration-ceremony\u2460\u2461"},{"id":"ref-for-registration-ceremony\u2460\u2462"},{"id":"ref-for-registration-ceremony\u2460\u2463"},{"id":"ref-for-registration-ceremony\u2460\u2464"}],"title":"7.1. Registering a New Credential"},{"refs":[{"id":"ref-for-registration-ceremony\u2460\u2465"},{"id":"ref-for-registration-ceremony\u2460\u2466"},{"id":"ref-for-registration-ceremony\u2460\u2467"},{"id":"ref-for-registration-ceremony\u2460\u2468"}],"title":"10.1.3. Credential Properties Extension (credProps)"},{"refs":[{"id":"ref-for-registration-ceremony\u2461\u24ea"}],"title":"13.4.1. Security Benefits for WebAuthn Relying Parties"},{"refs":[{"id":"ref-for-registration-ceremony\u2461\u2460"}],"title":"13.4.4. Attestation Limitations"},{"refs":[{"id":"ref-for-registration-ceremony\u2461\u2461"},{"id":"ref-for-registration-ceremony\u2461\u2462"},{"id":"ref-for-registration-ceremony\u2461\u2463"},{"id":"ref-for-registration-ceremony\u2461\u2464"},{"id":"ref-for-registration-ceremony\u2461\u2465"}],"title":"14.6.2. Username Enumeration"},{"refs":[{"id":"ref-for-registration-ceremony\u2461\u2466"}],"title":"15.1. Recommended Range for Ceremony Timeouts"}],"url":"#registration-ceremony"}, "registration-extension": {"dfnID":"registration-extension","dfnText":"registration\nextension","external":false,"refSections":[{"refs":[{"id":"ref-for-registration-extension"}],"title":"5.1.3. Create a New Credential - PublicKeyCredential\u2019s [[Create]](origin, options, sameOriginWithAncestors) Method"},{"refs":[{"id":"ref-for-registration-extension\u2460"}],"title":"5.7. WebAuthn Extensions Inputs and Outputs"},{"refs":[{"id":"ref-for-registration-extension\u2461"},{"id":"ref-for-registration-extension\u2462"},{"id":"ref-for-registration-extension\u2463"},{"id":"ref-for-registration-extension\u2464"},{"id":"ref-for-registration-extension\u2465"},{"id":"ref-for-registration-extension\u2466"}],"title":"9. WebAuthn Extensions"},{"refs":[{"id":"ref-for-registration-extension\u2467"}],"title":"10.1.2. FIDO AppID Exclusion Extension (appidExclude)"},{"refs":[{"id":"ref-for-registration-extension\u2468"},{"id":"ref-for-registration-extension\u2460\u24ea"}],"title":"10.1.3. Credential Properties Extension (credProps)"},{"refs":[{"id":"ref-for-registration-extension\u2460\u2460"},{"id":"ref-for-registration-extension\u2460\u2461"},{"id":"ref-for-registration-extension\u2460\u2462"}],"title":"10.1.4. Pseudo-random function extension (prf)"},{"refs":[{"id":"ref-for-registration-extension\u2460\u2463"},{"id":"ref-for-registration-extension\u2460\u2464"},{"id":"ref-for-registration-extension\u2460\u2465"},{"id":"ref-for-registration-extension\u2460\u2466"},{"id":"ref-for-registration-extension\u2460\u2467"},{"id":"ref-for-registration-extension\u2460\u2468"},{"id":"ref-for-registration-extension\u2461\u24ea"}],"title":"10.1.5. Large blob storage extension (largeBlob)"},{"refs":[{"id":"ref-for-registration-extension\u2461\u2460"},{"id":"ref-for-registration-extension\u2461\u2461"}],"title":"12.4. WebAuthn Extension Identifier Registrations"}],"url":"#registration-extension"}, -"relying-party": {"dfnID":"relying-party","dfnText":"Relying Party","external":false,"refSections":[{"refs":[{"id":"ref-for-relying-party\u2460"},{"id":"ref-for-relying-party\u2461"},{"id":"ref-for-relying-party\u2462"},{"id":"ref-for-relying-party\u2463"},{"id":"ref-for-relying-party\u2464"},{"id":"ref-for-relying-party\u2465"},{"id":"ref-for-relying-party\u2466"}],"title":"1. Introduction"},{"refs":[{"id":"ref-for-relying-party\u2467"},{"id":"ref-for-relying-party\u2468"},{"id":"ref-for-relying-party\u2460\u24ea"},{"id":"ref-for-relying-party\u2460\u2460"},{"id":"ref-for-relying-party\u2460\u2461"},{"id":"ref-for-relying-party\u2460\u2462"},{"id":"ref-for-relying-party\u2460\u2463"},{"id":"ref-for-relying-party\u2460\u2464"}],"title":"1.1. Specification Roadmap"},{"refs":[{"id":"ref-for-relying-party\u2460\u2465"}],"title":"1.2.3. New Device Registration"},{"refs":[{"id":"ref-for-relying-party\u2460\u2466"}],"title":"1.2.4. Other Use Cases and Configurations"},{"refs":[{"id":"ref-for-relying-party\u2460\u2467"},{"id":"ref-for-relying-party\u2460\u2468"},{"id":"ref-for-relying-party\u2461\u24ea"},{"id":"ref-for-relying-party\u2461\u2460"}],"title":"1.3.1. Registration"},{"refs":[{"id":"ref-for-relying-party\u2461\u2461"},{"id":"ref-for-relying-party\u2461\u2462"},{"id":"ref-for-relying-party\u2461\u2463"}],"title":"1.3.2. Registration Specifically with User-Verifying Platform Authenticator"},{"refs":[{"id":"ref-for-relying-party\u2461\u2464"},{"id":"ref-for-relying-party\u2461\u2465"},{"id":"ref-for-relying-party\u2461\u2466"},{"id":"ref-for-relying-party\u2461\u2467"},{"id":"ref-for-relying-party\u2461\u2468"}],"title":"1.3.3. Authentication"},{"refs":[{"id":"ref-for-relying-party\u2462\u24ea"},{"id":"ref-for-relying-party\u2462\u2460"}],"title":"1.3.5. Decommissioning"},{"refs":[{"id":"ref-for-relying-party\u2462\u2461"}],"title":"2.1.1. Enumerations as DOMString types"},{"refs":[{"id":"ref-for-relying-party\u2462\u2462"},{"id":"ref-for-relying-party\u2462\u2463"},{"id":"ref-for-relying-party\u2462\u2464"},{"id":"ref-for-relying-party\u2462\u2465"},{"id":"ref-for-relying-party\u2462\u2466"},{"id":"ref-for-relying-party\u2462\u2467"},{"id":"ref-for-relying-party\u2462\u2468"},{"id":"ref-for-relying-party\u2463\u24ea"},{"id":"ref-for-relying-party\u2463\u2460"},{"id":"ref-for-relying-party\u2463\u2461"},{"id":"ref-for-relying-party\u2463\u2462"},{"id":"ref-for-relying-party\u2463\u2463"},{"id":"ref-for-relying-party\u2463\u2464"},{"id":"ref-for-relying-party\u2463\u2465"},{"id":"ref-for-relying-party\u2463\u2466"},{"id":"ref-for-relying-party\u2463\u2467"},{"id":"ref-for-relying-party\u2463\u2468"},{"id":"ref-for-relying-party\u2464\u24ea"},{"id":"ref-for-relying-party\u2464\u2460"},{"id":"ref-for-relying-party\u2464\u2461"},{"id":"ref-for-relying-party\u2464\u2462"},{"id":"ref-for-relying-party\u2464\u2463"},{"id":"ref-for-relying-party\u2464\u2464"},{"id":"ref-for-relying-party\u2464\u2465"},{"id":"ref-for-relying-party\u2464\u2466"},{"id":"ref-for-relying-party\u2464\u2467"},{"id":"ref-for-relying-party\u2464\u2468"},{"id":"ref-for-relying-party\u2465\u24ea"},{"id":"ref-for-relying-party\u2465\u2460"},{"id":"ref-for-relying-party\u2465\u2461"},{"id":"ref-for-relying-party\u2465\u2462"},{"id":"ref-for-relying-party\u2465\u2463"},{"id":"ref-for-relying-party\u2465\u2464"},{"id":"ref-for-relying-party\u2465\u2465"},{"id":"ref-for-relying-party\u2465\u2466"},{"id":"ref-for-relying-party\u2465\u2467"},{"id":"ref-for-relying-party\u2465\u2468"},{"id":"ref-for-relying-party\u2466\u24ea"},{"id":"ref-for-relying-party\u2466\u2460"},{"id":"ref-for-relying-party\u2466\u2461"},{"id":"ref-for-relying-party\u2466\u2462"},{"id":"ref-for-relying-party\u2466\u2463"},{"id":"ref-for-relying-party\u2466\u2464"},{"id":"ref-for-relying-party\u2466\u2465"},{"id":"ref-for-relying-party\u2466\u2466"},{"id":"ref-for-relying-party\u2466\u2467"},{"id":"ref-for-relying-party\u2466\u2468"},{"id":"ref-for-relying-party\u2467\u24ea"},{"id":"ref-for-relying-party\u2467\u2460"},{"id":"ref-for-relying-party\u2467\u2461"}],"title":"4. Terminology"},{"refs":[{"id":"ref-for-relying-party\u2467\u2462"},{"id":"ref-for-relying-party\u2467\u2463"},{"id":"ref-for-relying-party\u2467\u2464"},{"id":"ref-for-relying-party\u2467\u2465"},{"id":"ref-for-relying-party\u2467\u2466"},{"id":"ref-for-relying-party\u2467\u2467"},{"id":"ref-for-relying-party\u2467\u2468"}],"title":"5. Web Authentication API"},{"refs":[{"id":"ref-for-relying-party\u2468\u24ea"},{"id":"ref-for-relying-party\u2468\u2460"},{"id":"ref-for-relying-party\u2468\u2461"},{"id":"ref-for-relying-party\u2468\u2462"},{"id":"ref-for-relying-party\u2468\u2463"}],"title":"5.1. PublicKeyCredential Interface"},{"refs":[{"id":"ref-for-relying-party\u2468\u2464"},{"id":"ref-for-relying-party\u2468\u2465"},{"id":"ref-for-relying-party\u2468\u2466"},{"id":"ref-for-relying-party\u2468\u2467"},{"id":"ref-for-relying-party\u2468\u2468"},{"id":"ref-for-relying-party\u2460\u24ea\u24ea"}],"title":"5.1.3. Create a New Credential - PublicKeyCredential\u2019s [[Create]](origin, options, sameOriginWithAncestors) Method"},{"refs":[{"id":"ref-for-relying-party\u2460\u24ea\u2460"},{"id":"ref-for-relying-party\u2460\u24ea\u2461"},{"id":"ref-for-relying-party\u2460\u24ea\u2462"},{"id":"ref-for-relying-party\u2460\u24ea\u2463"}],"title":"5.1.4. Use an Existing Credential to Make an Assertion - PublicKeyCredential\u2019s [[Get]](options) Method"},{"refs":[{"id":"ref-for-relying-party\u2460\u24ea\u2464"},{"id":"ref-for-relying-party\u2460\u24ea\u2465"}],"title":"5.1.4.2. Issuing a Credential Request to an Authenticator"},{"refs":[{"id":"ref-for-relying-party\u2460\u24ea\u2466"}],"title":"5.1.6. Availability of User-Verifying Platform Authenticator - PublicKeyCredential\u2019s isUserVerifyingPlatformAuthenticatorAvailable() Method"},{"refs":[{"id":"ref-for-relying-party\u2460\u24ea\u2467"},{"id":"ref-for-relying-party\u2460\u24ea\u2468"}],"title":"5.1.7. Availability of client capabilities - PublicKeyCredential\u2019s getClientCapabilities() Method"},{"refs":[{"id":"ref-for-relying-party\u2460\u2460\u24ea"},{"id":"ref-for-relying-party\u2460\u2460\u2460"}],"title":"5.1.10.3. signalAllAcceptedCredentials(options)"},{"refs":[{"id":"ref-for-relying-party\u2460\u2460\u2461"}],"title":"5.2. Authenticator Responses (interface AuthenticatorResponse)"},{"refs":[{"id":"ref-for-relying-party\u2460\u2460\u2462"},{"id":"ref-for-relying-party\u2460\u2460\u2463"}],"title":"5.2.1. Information About Public Key Credential (interface AuthenticatorAttestationResponse)"},{"refs":[{"id":"ref-for-relying-party\u2460\u2460\u2464"},{"id":"ref-for-relying-party\u2460\u2460\u2465"},{"id":"ref-for-relying-party\u2460\u2460\u2466"},{"id":"ref-for-relying-party\u2460\u2460\u2467"},{"id":"ref-for-relying-party\u2460\u2460\u2468"},{"id":"ref-for-relying-party\u2460\u2461\u24ea"},{"id":"ref-for-relying-party\u2460\u2461\u2460"}],"title":"5.2.1.1. Easily accessing credential data"},{"refs":[{"id":"ref-for-relying-party\u2460\u2461\u2461"},{"id":"ref-for-relying-party\u2460\u2461\u2462"},{"id":"ref-for-relying-party\u2460\u2461\u2463"},{"id":"ref-for-relying-party\u2460\u2461\u2464"},{"id":"ref-for-relying-party\u2460\u2461\u2465"},{"id":"ref-for-relying-party\u2460\u2461\u2466"},{"id":"ref-for-relying-party\u2460\u2461\u2467"},{"id":"ref-for-relying-party\u2460\u2461\u2468"},{"id":"ref-for-relying-party\u2460\u2462\u24ea"},{"id":"ref-for-relying-party\u2460\u2462\u2460"},{"id":"ref-for-relying-party\u2460\u2462\u2461"}],"title":"5.4. Options for Credential Creation (dictionary PublicKeyCredentialCreationOptions)"},{"refs":[{"id":"ref-for-relying-party\u2460\u2462\u2462"},{"id":"ref-for-relying-party\u2460\u2462\u2463"},{"id":"ref-for-relying-party\u2460\u2462\u2464"},{"id":"ref-for-relying-party\u2460\u2462\u2465"},{"id":"ref-for-relying-party\u2460\u2462\u2466"},{"id":"ref-for-relying-party\u2460\u2462\u2467"}],"title":"5.4.1. Public Key Entity Description (dictionary PublicKeyCredentialEntity)"},{"refs":[{"id":"ref-for-relying-party\u2460\u2462\u2468"},{"id":"ref-for-relying-party\u2460\u2463\u24ea"}],"title":"5.4.2. Relying Party Parameters for Credential Generation (dictionary PublicKeyCredentialRpEntity)"},{"refs":[{"id":"ref-for-relying-party\u2460\u2463\u2460"},{"id":"ref-for-relying-party\u2460\u2463\u2461"},{"id":"ref-for-relying-party\u2460\u2463\u2462"},{"id":"ref-for-relying-party\u2460\u2463\u2463"},{"id":"ref-for-relying-party\u2460\u2463\u2464"}],"title":"5.4.3. User Account Parameters for Credential Generation (dictionary PublicKeyCredentialUserEntity)"},{"refs":[{"id":"ref-for-relying-party\u2460\u2463\u2465"},{"id":"ref-for-relying-party\u2460\u2463\u2466"},{"id":"ref-for-relying-party\u2460\u2463\u2467"}],"title":"5.4.4. Authenticator Selection Criteria (dictionary AuthenticatorSelectionCriteria)"},{"refs":[{"id":"ref-for-relying-party\u2460\u2463\u2468"},{"id":"ref-for-relying-party\u2460\u2464\u24ea"},{"id":"ref-for-relying-party\u2460\u2464\u2460"}],"title":"5.4.5. Authenticator Attachment Enumeration (enum AuthenticatorAttachment)"},{"refs":[{"id":"ref-for-relying-party\u2460\u2464\u2461"},{"id":"ref-for-relying-party\u2460\u2464\u2462"},{"id":"ref-for-relying-party\u2460\u2464\u2463"},{"id":"ref-for-relying-party\u2460\u2464\u2464"},{"id":"ref-for-relying-party\u2460\u2464\u2465"},{"id":"ref-for-relying-party\u2460\u2464\u2466"}],"title":"5.4.6. Resident Key Requirement Enumeration (enum ResidentKeyRequirement)"},{"refs":[{"id":"ref-for-relying-party\u2460\u2464\u2467"},{"id":"ref-for-relying-party\u2460\u2464\u2468"},{"id":"ref-for-relying-party\u2460\u2465\u24ea"},{"id":"ref-for-relying-party\u2460\u2465\u2460"},{"id":"ref-for-relying-party\u2460\u2465\u2461"},{"id":"ref-for-relying-party\u2460\u2465\u2462"},{"id":"ref-for-relying-party\u2460\u2465\u2463"},{"id":"ref-for-relying-party\u2460\u2465\u2464"}],"title":"5.4.7. Attestation Conveyance Preference Enumeration (enum AttestationConveyancePreference)"},{"refs":[{"id":"ref-for-relying-party\u2460\u2465\u2465"},{"id":"ref-for-relying-party\u2460\u2465\u2466"},{"id":"ref-for-relying-party\u2460\u2465\u2467"},{"id":"ref-for-relying-party\u2460\u2465\u2468"},{"id":"ref-for-relying-party\u2460\u2466\u24ea"},{"id":"ref-for-relying-party\u2460\u2466\u2460"},{"id":"ref-for-relying-party\u2460\u2466\u2461"},{"id":"ref-for-relying-party\u2460\u2466\u2462"},{"id":"ref-for-relying-party\u2460\u2466\u2463"}],"title":"5.5. Options for Assertion Generation (dictionary PublicKeyCredentialRequestOptions)"},{"refs":[{"id":"ref-for-relying-party\u2460\u2466\u2464"}],"title":"5.7.3. Authentication Extensions Authenticator Inputs (CDDL type AuthenticationExtensionsAuthenticatorInputs)"},{"refs":[{"id":"ref-for-relying-party\u2460\u2466\u2465"},{"id":"ref-for-relying-party\u2460\u2466\u2466"},{"id":"ref-for-relying-party\u2460\u2466\u2467"},{"id":"ref-for-relying-party\u2460\u2466\u2468"},{"id":"ref-for-relying-party\u2460\u2467\u24ea"}],"title":"5.8.1. Client Data Used in WebAuthn Signatures (dictionary CollectedClientData)"},{"refs":[{"id":"ref-for-relying-party\u2460\u2467\u2460"}],"title":"5.8.4. Authenticator Transport Enumeration (enum AuthenticatorTransport)"},{"refs":[{"id":"ref-for-relying-party\u2460\u2467\u2461"},{"id":"ref-for-relying-party\u2460\u2467\u2462"},{"id":"ref-for-relying-party\u2460\u2467\u2463"}],"title":"5.8.6. User Verification Requirement Enumeration (enum UserVerificationRequirement)"},{"refs":[{"id":"ref-for-relying-party\u2460\u2467\u2464"}],"title":"5.8.7. Client Capability Enumeration (enum ClientCapability)"},{"refs":[{"id":"ref-for-relying-party\u2460\u2467\u2465"},{"id":"ref-for-relying-party\u2460\u2467\u2466"},{"id":"ref-for-relying-party\u2460\u2467\u2467"},{"id":"ref-for-relying-party\u2460\u2467\u2468"},{"id":"ref-for-relying-party\u2460\u2468\u24ea"},{"id":"ref-for-relying-party\u2460\u2468\u2460"},{"id":"ref-for-relying-party\u2460\u2468\u2461"}],"title":"5.8.8. User-agent Hints Enumeration (enum PublicKeyCredentialHint)"},{"refs":[{"id":"ref-for-relying-party\u2460\u2468\u2462"}],"title":"5.10. Using Web Authentication within iframe elements"},{"refs":[{"id":"ref-for-relying-party\u2460\u2468\u2463"}],"title":"5.11. Using Web Authentication across related origins"},{"refs":[{"id":"ref-for-relying-party\u2460\u2468\u2464"},{"id":"ref-for-relying-party\u2460\u2468\u2465"},{"id":"ref-for-relying-party\u2460\u2468\u2466"},{"id":"ref-for-relying-party\u2460\u2468\u2467"},{"id":"ref-for-relying-party\u2460\u2468\u2468"}],"title":"6. WebAuthn Authenticator Model"},{"refs":[{"id":"ref-for-relying-party\u2461\u24ea\u24ea"}],"title":"6.1. Authenticator Data"},{"refs":[{"id":"ref-for-relying-party\u2461\u24ea\u2460"},{"id":"ref-for-relying-party\u2461\u24ea\u2461"},{"id":"ref-for-relying-party\u2461\u24ea\u2462"},{"id":"ref-for-relying-party\u2461\u24ea\u2463"},{"id":"ref-for-relying-party\u2461\u24ea\u2464"}],"title":"6.1.1. Signature Counter Considerations"},{"refs":[{"id":"ref-for-relying-party\u2461\u24ea\u2465"},{"id":"ref-for-relying-party\u2461\u24ea\u2466"},{"id":"ref-for-relying-party\u2461\u24ea\u2467"},{"id":"ref-for-relying-party\u2461\u24ea\u2468"},{"id":"ref-for-relying-party\u2461\u2460\u24ea"}],"title":"6.1.3. Credential Backup State"},{"refs":[{"id":"ref-for-relying-party\u2461\u2460\u2460"}],"title":"6.2. Authenticator Taxonomy"},{"refs":[{"id":"ref-for-relying-party\u2461\u2460\u2461"},{"id":"ref-for-relying-party\u2461\u2460\u2462"},{"id":"ref-for-relying-party\u2461\u2460\u2463"}],"title":"6.2.2. Credential Storage Modality"},{"refs":[{"id":"ref-for-relying-party\u2461\u2460\u2464"},{"id":"ref-for-relying-party\u2461\u2460\u2465"},{"id":"ref-for-relying-party\u2461\u2460\u2466"}],"title":"6.2.3. Authentication Factor Capability"},{"refs":[{"id":"ref-for-relying-party\u2461\u2460\u2467"},{"id":"ref-for-relying-party\u2461\u2460\u2468"},{"id":"ref-for-relying-party\u2461\u2461\u24ea"},{"id":"ref-for-relying-party\u2461\u2461\u2460"},{"id":"ref-for-relying-party\u2461\u2461\u2461"},{"id":"ref-for-relying-party\u2461\u2461\u2462"},{"id":"ref-for-relying-party\u2461\u2461\u2463"}],"title":"6.3.2. The authenticatorMakeCredential Operation"},{"refs":[{"id":"ref-for-relying-party\u2461\u2461\u2464"},{"id":"ref-for-relying-party\u2461\u2461\u2465"},{"id":"ref-for-relying-party\u2461\u2461\u2466"}],"title":"6.3.3. The authenticatorGetAssertion Operation"},{"refs":[{"id":"ref-for-relying-party\u2461\u2461\u2467"}],"title":"6.4. String Handling"},{"refs":[{"id":"ref-for-relying-party\u2461\u2461\u2468"}],"title":"6.4.1.1. String Truncation by Clients"},{"refs":[{"id":"ref-for-relying-party\u2461\u2462\u24ea"},{"id":"ref-for-relying-party\u2461\u2462\u2460"},{"id":"ref-for-relying-party\u2461\u2462\u2461"},{"id":"ref-for-relying-party\u2461\u2462\u2462"},{"id":"ref-for-relying-party\u2461\u2462\u2463"},{"id":"ref-for-relying-party\u2461\u2462\u2464"},{"id":"ref-for-relying-party\u2461\u2462\u2465"},{"id":"ref-for-relying-party\u2461\u2462\u2466"}],"title":"6.5. Attestation"},{"refs":[{"id":"ref-for-relying-party\u2461\u2462\u2467"},{"id":"ref-for-relying-party\u2461\u2462\u2468"},{"id":"ref-for-relying-party\u2461\u2463\u24ea"},{"id":"ref-for-relying-party\u2461\u2463\u2460"},{"id":"ref-for-relying-party\u2461\u2463\u2461"}],"title":"6.5.3. Attestation Types"},{"refs":[{"id":"ref-for-relying-party\u2461\u2463\u2462"},{"id":"ref-for-relying-party\u2461\u2463\u2463"},{"id":"ref-for-relying-party\u2461\u2463\u2464"},{"id":"ref-for-relying-party\u2461\u2463\u2465"}],"title":"7. WebAuthn Relying Party Operations"},{"refs":[{"id":"ref-for-relying-party\u2461\u2463\u2466"},{"id":"ref-for-relying-party\u2461\u2463\u2467"},{"id":"ref-for-relying-party\u2461\u2463\u2468"},{"id":"ref-for-relying-party\u2461\u2464\u24ea"},{"id":"ref-for-relying-party\u2461\u2464\u2460"},{"id":"ref-for-relying-party\u2461\u2464\u2461"},{"id":"ref-for-relying-party\u2461\u2464\u2462"},{"id":"ref-for-relying-party\u2461\u2464\u2463"},{"id":"ref-for-relying-party\u2461\u2464\u2464"},{"id":"ref-for-relying-party\u2461\u2464\u2465"},{"id":"ref-for-relying-party\u2461\u2464\u2466"},{"id":"ref-for-relying-party\u2461\u2464\u2467"},{"id":"ref-for-relying-party\u2461\u2464\u2468"},{"id":"ref-for-relying-party\u2461\u2465\u24ea"},{"id":"ref-for-relying-party\u2461\u2465\u2460"},{"id":"ref-for-relying-party\u2461\u2465\u2461"},{"id":"ref-for-relying-party\u2461\u2465\u2462"},{"id":"ref-for-relying-party\u2461\u2465\u2463"},{"id":"ref-for-relying-party\u2461\u2465\u2464"},{"id":"ref-for-relying-party\u2461\u2465\u2465"},{"id":"ref-for-relying-party\u2461\u2465\u2466"},{"id":"ref-for-relying-party\u2461\u2465\u2467"},{"id":"ref-for-relying-party\u2461\u2465\u2468"},{"id":"ref-for-relying-party\u2461\u2466\u24ea"},{"id":"ref-for-relying-party\u2461\u2466\u2460"},{"id":"ref-for-relying-party\u2461\u2466\u2461"}],"title":"7.1. Registering a New Credential"},{"refs":[{"id":"ref-for-relying-party\u2461\u2466\u2462"},{"id":"ref-for-relying-party\u2461\u2466\u2463"},{"id":"ref-for-relying-party\u2461\u2466\u2464"},{"id":"ref-for-relying-party\u2461\u2466\u2465"},{"id":"ref-for-relying-party\u2461\u2466\u2466"},{"id":"ref-for-relying-party\u2461\u2466\u2467"},{"id":"ref-for-relying-party\u2461\u2466\u2468"},{"id":"ref-for-relying-party\u2461\u2467\u24ea"},{"id":"ref-for-relying-party\u2461\u2467\u2460"},{"id":"ref-for-relying-party\u2461\u2467\u2461"},{"id":"ref-for-relying-party\u2461\u2467\u2462"},{"id":"ref-for-relying-party\u2461\u2467\u2463"},{"id":"ref-for-relying-party\u2461\u2467\u2464"},{"id":"ref-for-relying-party\u2461\u2467\u2465"},{"id":"ref-for-relying-party\u2461\u2467\u2466"},{"id":"ref-for-relying-party\u2461\u2467\u2467"},{"id":"ref-for-relying-party\u2461\u2467\u2468"},{"id":"ref-for-relying-party\u2461\u2468\u24ea"}],"title":"7.2. Verifying an Authentication Assertion"},{"refs":[{"id":"ref-for-relying-party\u2461\u2468\u2460"},{"id":"ref-for-relying-party\u2461\u2468\u2461"}],"title":"8.2.1. Certificate Requirements for Packed Attestation Statements"},{"refs":[{"id":"ref-for-relying-party\u2461\u2468\u2462"},{"id":"ref-for-relying-party\u2461\u2468\u2463"}],"title":"8.9. Compound Attestation Statement Format"},{"refs":[{"id":"ref-for-relying-party\u2461\u2468\u2464"},{"id":"ref-for-relying-party\u2461\u2468\u2465"},{"id":"ref-for-relying-party\u2461\u2468\u2466"}],"title":"9. WebAuthn Extensions"},{"refs":[{"id":"ref-for-relying-party\u2461\u2468\u2467"}],"title":"9.2. Defining Extensions"},{"refs":[{"id":"ref-for-relying-party\u2461\u2468\u2468"},{"id":"ref-for-relying-party\u2462\u24ea\u24ea"},{"id":"ref-for-relying-party\u2462\u24ea\u2460"}],"title":"9.3. Extending Request Parameters"},{"refs":[{"id":"ref-for-relying-party\u2462\u24ea\u2461"}],"title":"9.5. Authenticator Extension Processing"},{"refs":[{"id":"ref-for-relying-party\u2462\u24ea\u2462"},{"id":"ref-for-relying-party\u2462\u24ea\u2463"},{"id":"ref-for-relying-party\u2462\u24ea\u2464"},{"id":"ref-for-relying-party\u2462\u24ea\u2465"},{"id":"ref-for-relying-party\u2462\u24ea\u2466"}],"title":"10.1.1. FIDO AppID Extension (appid)"},{"refs":[{"id":"ref-for-relying-party\u2462\u24ea\u2467"},{"id":"ref-for-relying-party\u2462\u24ea\u2468"}],"title":"10.1.2. FIDO AppID Exclusion Extension (appidExclude)"},{"refs":[{"id":"ref-for-relying-party\u2462\u2460\u24ea"},{"id":"ref-for-relying-party\u2462\u2460\u2460"},{"id":"ref-for-relying-party\u2462\u2460\u2461"},{"id":"ref-for-relying-party\u2462\u2460\u2462"},{"id":"ref-for-relying-party\u2462\u2460\u2463"},{"id":"ref-for-relying-party\u2462\u2460\u2464"}],"title":"10.1.3. Credential Properties Extension (credProps)"},{"refs":[{"id":"ref-for-relying-party\u2462\u2460\u2465"},{"id":"ref-for-relying-party\u2462\u2460\u2466"},{"id":"ref-for-relying-party\u2462\u2460\u2467"}],"title":"10.1.4. Pseudo-random function extension (prf)"},{"refs":[{"id":"ref-for-relying-party\u2462\u2460\u2468"},{"id":"ref-for-relying-party\u2462\u2461\u24ea"},{"id":"ref-for-relying-party\u2462\u2461\u2460"},{"id":"ref-for-relying-party\u2462\u2461\u2461"},{"id":"ref-for-relying-party\u2462\u2461\u2462"},{"id":"ref-for-relying-party\u2462\u2461\u2463"},{"id":"ref-for-relying-party\u2462\u2461\u2464"},{"id":"ref-for-relying-party\u2462\u2461\u2465"}],"title":"10.1.5. Large blob storage extension (largeBlob)"},{"refs":[{"id":"ref-for-relying-party\u2462\u2461\u2466"}],"title":"12.4. WebAuthn Extension Identifier Registrations"},{"refs":[{"id":"ref-for-relying-party\u2462\u2461\u2467"},{"id":"ref-for-relying-party\u2462\u2461\u2468"},{"id":"ref-for-relying-party\u2462\u2462\u24ea"},{"id":"ref-for-relying-party\u2462\u2462\u2460"}],"title":"13. Security Considerations"},{"refs":[{"id":"ref-for-relying-party\u2462\u2462\u2461"},{"id":"ref-for-relying-party\u2462\u2462\u2462"}],"title":"13.2. Physical Proximity between Client and Authenticator"},{"refs":[{"id":"ref-for-relying-party\u2462\u2462\u2463"},{"id":"ref-for-relying-party\u2462\u2462\u2464"}],"title":"13.3.2. Attestation Certificate and Attestation Certificate CA Compromise"},{"refs":[{"id":"ref-for-relying-party\u2462\u2462\u2465"}],"title":"13.4. Security considerations for Relying Parties"},{"refs":[{"id":"ref-for-relying-party\u2462\u2462\u2466"},{"id":"ref-for-relying-party\u2462\u2462\u2467"},{"id":"ref-for-relying-party\u2462\u2462\u2468"},{"id":"ref-for-relying-party\u2462\u2463\u24ea"},{"id":"ref-for-relying-party\u2462\u2463\u2460"},{"id":"ref-for-relying-party\u2462\u2463\u2461"}],"title":"13.4.1. Security Benefits for WebAuthn Relying Parties"},{"refs":[{"id":"ref-for-relying-party\u2462\u2463\u2462"},{"id":"ref-for-relying-party\u2462\u2463\u2463"},{"id":"ref-for-relying-party\u2462\u2463\u2464"},{"id":"ref-for-relying-party\u2462\u2463\u2465"}],"title":"13.4.2. Visibility Considerations for Embedded Usage"},{"refs":[{"id":"ref-for-relying-party\u2462\u2463\u2466"},{"id":"ref-for-relying-party\u2462\u2463\u2467"}],"title":"13.4.3. Cryptographic Challenges"},{"refs":[{"id":"ref-for-relying-party\u2462\u2463\u2468"},{"id":"ref-for-relying-party\u2462\u2464\u24ea"},{"id":"ref-for-relying-party\u2462\u2464\u2460"},{"id":"ref-for-relying-party\u2462\u2464\u2461"},{"id":"ref-for-relying-party\u2462\u2464\u2462"},{"id":"ref-for-relying-party\u2462\u2464\u2463"},{"id":"ref-for-relying-party\u2462\u2464\u2464"},{"id":"ref-for-relying-party\u2462\u2464\u2465"}],"title":"13.4.4. Attestation Limitations"},{"refs":[{"id":"ref-for-relying-party\u2462\u2464\u2466"},{"id":"ref-for-relying-party\u2462\u2464\u2467"},{"id":"ref-for-relying-party\u2462\u2464\u2468"}],"title":"13.4.5. Revoked Attestation Certificates"},{"refs":[{"id":"ref-for-relying-party\u2462\u2465\u24ea"},{"id":"ref-for-relying-party\u2462\u2465\u2460"},{"id":"ref-for-relying-party\u2462\u2465\u2461"}],"title":"13.4.6. Credential Loss and Key Mobility"},{"refs":[{"id":"ref-for-relying-party\u2462\u2465\u2462"},{"id":"ref-for-relying-party\u2462\u2465\u2463"}],"title":"13.4.7. Unprotected account detection"},{"refs":[{"id":"ref-for-relying-party\u2462\u2465\u2464"},{"id":"ref-for-relying-party\u2462\u2465\u2465"},{"id":"ref-for-relying-party\u2462\u2465\u2466"},{"id":"ref-for-relying-party\u2462\u2465\u2467"},{"id":"ref-for-relying-party\u2462\u2465\u2468"},{"id":"ref-for-relying-party\u2462\u2466\u24ea"},{"id":"ref-for-relying-party\u2462\u2466\u2460"},{"id":"ref-for-relying-party\u2462\u2466\u2461"},{"id":"ref-for-relying-party\u2462\u2466\u2462"}],"title":"13.4.8. Code injection attacks"},{"refs":[{"id":"ref-for-relying-party\u2462\u2466\u2463"},{"id":"ref-for-relying-party\u2462\u2466\u2464"},{"id":"ref-for-relying-party\u2462\u2466\u2465"},{"id":"ref-for-relying-party\u2462\u2466\u2466"},{"id":"ref-for-relying-party\u2462\u2466\u2467"},{"id":"ref-for-relying-party\u2462\u2466\u2468"},{"id":"ref-for-relying-party\u2462\u2467\u24ea"}],"title":"13.4.9. Validating the origin of a credential"},{"refs":[{"id":"ref-for-relying-party\u2462\u2467\u2460"}],"title":"14. Privacy Considerations"},{"refs":[{"id":"ref-for-relying-party\u2462\u2467\u2461"},{"id":"ref-for-relying-party\u2462\u2467\u2462"},{"id":"ref-for-relying-party\u2462\u2467\u2463"},{"id":"ref-for-relying-party\u2462\u2467\u2464"},{"id":"ref-for-relying-party\u2462\u2467\u2465"},{"id":"ref-for-relying-party\u2462\u2467\u2466"},{"id":"ref-for-relying-party\u2462\u2467\u2467"}],"title":"14.1. De-anonymization Prevention Measures"},{"refs":[{"id":"ref-for-relying-party\u2462\u2467\u2468"},{"id":"ref-for-relying-party\u2462\u2468\u24ea"},{"id":"ref-for-relying-party\u2462\u2468\u2460"},{"id":"ref-for-relying-party\u2462\u2468\u2461"},{"id":"ref-for-relying-party\u2462\u2468\u2462"},{"id":"ref-for-relying-party\u2462\u2468\u2463"},{"id":"ref-for-relying-party\u2462\u2468\u2464"},{"id":"ref-for-relying-party\u2462\u2468\u2465"},{"id":"ref-for-relying-party\u2462\u2468\u2466"},{"id":"ref-for-relying-party\u2462\u2468\u2467"},{"id":"ref-for-relying-party\u2462\u2468\u2468"}],"title":"14.2. Anonymous, Scoped, Non-correlatable Public Key Credentials"},{"refs":[{"id":"ref-for-relying-party\u2463\u24ea\u24ea"},{"id":"ref-for-relying-party\u2463\u24ea\u2460"},{"id":"ref-for-relying-party\u2463\u24ea\u2461"},{"id":"ref-for-relying-party\u2463\u24ea\u2462"},{"id":"ref-for-relying-party\u2463\u24ea\u2463"}],"title":"14.3. Authenticator-local Biometric Recognition"},{"refs":[{"id":"ref-for-relying-party\u2463\u24ea\u2464"},{"id":"ref-for-relying-party\u2463\u24ea\u2465"},{"id":"ref-for-relying-party\u2463\u24ea\u2466"}],"title":"14.5.1. Registration Ceremony Privacy"},{"refs":[{"id":"ref-for-relying-party\u2463\u24ea\u2467"},{"id":"ref-for-relying-party\u2463\u24ea\u2468"},{"id":"ref-for-relying-party\u2463\u2460\u24ea"},{"id":"ref-for-relying-party\u2463\u2460\u2460"}],"title":"14.5.2. Authentication Ceremony Privacy"},{"refs":[{"id":"ref-for-relying-party\u2463\u2460\u2461"}],"title":"14.6. Privacy considerations for Relying Parties"},{"refs":[{"id":"ref-for-relying-party\u2463\u2460\u2462"},{"id":"ref-for-relying-party\u2463\u2460\u2463"}],"title":"14.6.1. User Handle Contents"},{"refs":[{"id":"ref-for-relying-party\u2463\u2460\u2464"},{"id":"ref-for-relying-party\u2463\u2460\u2465"},{"id":"ref-for-relying-party\u2463\u2460\u2466"},{"id":"ref-for-relying-party\u2463\u2460\u2467"},{"id":"ref-for-relying-party\u2463\u2460\u2468"},{"id":"ref-for-relying-party\u2463\u2461\u24ea"},{"id":"ref-for-relying-party\u2463\u2461\u2460"},{"id":"ref-for-relying-party\u2463\u2461\u2461"},{"id":"ref-for-relying-party\u2463\u2461\u2462"},{"id":"ref-for-relying-party\u2463\u2461\u2463"},{"id":"ref-for-relying-party\u2463\u2461\u2464"},{"id":"ref-for-relying-party\u2463\u2461\u2465"}],"title":"14.6.2. Username Enumeration"},{"refs":[{"id":"ref-for-relying-party\u2463\u2461\u2466"},{"id":"ref-for-relying-party\u2463\u2461\u2467"},{"id":"ref-for-relying-party\u2463\u2461\u2468"},{"id":"ref-for-relying-party\u2463\u2462\u24ea"},{"id":"ref-for-relying-party\u2463\u2462\u2460"}],"title":"14.6.3. Privacy leak via credential IDs"},{"refs":[{"id":"ref-for-relying-party\u2463\u2462\u2461"}],"title":"15. Accessibility Considerations"},{"refs":[{"id":"ref-for-relying-party\u2463\u2462\u2462"}],"title":"15.1. Recommended Range for Ceremony Timeouts"}],"url":"#relying-party"}, +"relying-party": {"dfnID":"relying-party","dfnText":"Relying Party","external":false,"refSections":[{"refs":[{"id":"ref-for-relying-party\u2460"},{"id":"ref-for-relying-party\u2461"},{"id":"ref-for-relying-party\u2462"},{"id":"ref-for-relying-party\u2463"},{"id":"ref-for-relying-party\u2464"},{"id":"ref-for-relying-party\u2465"},{"id":"ref-for-relying-party\u2466"}],"title":"1. Introduction"},{"refs":[{"id":"ref-for-relying-party\u2467"},{"id":"ref-for-relying-party\u2468"},{"id":"ref-for-relying-party\u2460\u24ea"},{"id":"ref-for-relying-party\u2460\u2460"},{"id":"ref-for-relying-party\u2460\u2461"},{"id":"ref-for-relying-party\u2460\u2462"},{"id":"ref-for-relying-party\u2460\u2463"},{"id":"ref-for-relying-party\u2460\u2464"}],"title":"1.1. Specification Roadmap"},{"refs":[{"id":"ref-for-relying-party\u2460\u2465"}],"title":"1.2.3. New Device Registration"},{"refs":[{"id":"ref-for-relying-party\u2460\u2466"}],"title":"1.2.4. Other Use Cases and Configurations"},{"refs":[{"id":"ref-for-relying-party\u2460\u2467"},{"id":"ref-for-relying-party\u2460\u2468"},{"id":"ref-for-relying-party\u2461\u24ea"},{"id":"ref-for-relying-party\u2461\u2460"}],"title":"1.3.1. Registration"},{"refs":[{"id":"ref-for-relying-party\u2461\u2461"},{"id":"ref-for-relying-party\u2461\u2462"},{"id":"ref-for-relying-party\u2461\u2463"}],"title":"1.3.2. Registration Specifically with User-Verifying Platform Authenticator"},{"refs":[{"id":"ref-for-relying-party\u2461\u2464"},{"id":"ref-for-relying-party\u2461\u2465"},{"id":"ref-for-relying-party\u2461\u2466"},{"id":"ref-for-relying-party\u2461\u2467"},{"id":"ref-for-relying-party\u2461\u2468"}],"title":"1.3.3. Authentication"},{"refs":[{"id":"ref-for-relying-party\u2462\u24ea"},{"id":"ref-for-relying-party\u2462\u2460"}],"title":"1.3.5. Decommissioning"},{"refs":[{"id":"ref-for-relying-party\u2462\u2461"}],"title":"2.1.1. Enumerations as DOMString types"},{"refs":[{"id":"ref-for-relying-party\u2462\u2462"},{"id":"ref-for-relying-party\u2462\u2463"},{"id":"ref-for-relying-party\u2462\u2464"},{"id":"ref-for-relying-party\u2462\u2465"},{"id":"ref-for-relying-party\u2462\u2466"},{"id":"ref-for-relying-party\u2462\u2467"},{"id":"ref-for-relying-party\u2462\u2468"},{"id":"ref-for-relying-party\u2463\u24ea"},{"id":"ref-for-relying-party\u2463\u2460"},{"id":"ref-for-relying-party\u2463\u2461"},{"id":"ref-for-relying-party\u2463\u2462"},{"id":"ref-for-relying-party\u2463\u2463"},{"id":"ref-for-relying-party\u2463\u2464"},{"id":"ref-for-relying-party\u2463\u2465"},{"id":"ref-for-relying-party\u2463\u2466"},{"id":"ref-for-relying-party\u2463\u2467"},{"id":"ref-for-relying-party\u2463\u2468"},{"id":"ref-for-relying-party\u2464\u24ea"},{"id":"ref-for-relying-party\u2464\u2460"},{"id":"ref-for-relying-party\u2464\u2461"},{"id":"ref-for-relying-party\u2464\u2462"},{"id":"ref-for-relying-party\u2464\u2463"},{"id":"ref-for-relying-party\u2464\u2464"},{"id":"ref-for-relying-party\u2464\u2465"},{"id":"ref-for-relying-party\u2464\u2466"},{"id":"ref-for-relying-party\u2464\u2467"},{"id":"ref-for-relying-party\u2464\u2468"},{"id":"ref-for-relying-party\u2465\u24ea"},{"id":"ref-for-relying-party\u2465\u2460"},{"id":"ref-for-relying-party\u2465\u2461"},{"id":"ref-for-relying-party\u2465\u2462"},{"id":"ref-for-relying-party\u2465\u2463"},{"id":"ref-for-relying-party\u2465\u2464"},{"id":"ref-for-relying-party\u2465\u2465"},{"id":"ref-for-relying-party\u2465\u2466"},{"id":"ref-for-relying-party\u2465\u2467"},{"id":"ref-for-relying-party\u2465\u2468"},{"id":"ref-for-relying-party\u2466\u24ea"},{"id":"ref-for-relying-party\u2466\u2460"},{"id":"ref-for-relying-party\u2466\u2461"},{"id":"ref-for-relying-party\u2466\u2462"},{"id":"ref-for-relying-party\u2466\u2463"},{"id":"ref-for-relying-party\u2466\u2464"},{"id":"ref-for-relying-party\u2466\u2465"},{"id":"ref-for-relying-party\u2466\u2466"},{"id":"ref-for-relying-party\u2466\u2467"},{"id":"ref-for-relying-party\u2466\u2468"},{"id":"ref-for-relying-party\u2467\u24ea"},{"id":"ref-for-relying-party\u2467\u2460"},{"id":"ref-for-relying-party\u2467\u2461"}],"title":"4. Terminology"},{"refs":[{"id":"ref-for-relying-party\u2467\u2462"},{"id":"ref-for-relying-party\u2467\u2463"},{"id":"ref-for-relying-party\u2467\u2464"},{"id":"ref-for-relying-party\u2467\u2465"},{"id":"ref-for-relying-party\u2467\u2466"},{"id":"ref-for-relying-party\u2467\u2467"},{"id":"ref-for-relying-party\u2467\u2468"}],"title":"5. Web Authentication API"},{"refs":[{"id":"ref-for-relying-party\u2468\u24ea"},{"id":"ref-for-relying-party\u2468\u2460"},{"id":"ref-for-relying-party\u2468\u2461"},{"id":"ref-for-relying-party\u2468\u2462"},{"id":"ref-for-relying-party\u2468\u2463"}],"title":"5.1. PublicKeyCredential Interface"},{"refs":[{"id":"ref-for-relying-party\u2468\u2464"},{"id":"ref-for-relying-party\u2468\u2465"},{"id":"ref-for-relying-party\u2468\u2466"},{"id":"ref-for-relying-party\u2468\u2467"},{"id":"ref-for-relying-party\u2468\u2468"},{"id":"ref-for-relying-party\u2460\u24ea\u24ea"}],"title":"5.1.3. Create a New Credential - PublicKeyCredential\u2019s [[Create]](origin, options, sameOriginWithAncestors) Method"},{"refs":[{"id":"ref-for-relying-party\u2460\u24ea\u2460"},{"id":"ref-for-relying-party\u2460\u24ea\u2461"},{"id":"ref-for-relying-party\u2460\u24ea\u2462"},{"id":"ref-for-relying-party\u2460\u24ea\u2463"}],"title":"5.1.4. Use an Existing Credential to Make an Assertion - PublicKeyCredential\u2019s [[Get]](options) Method"},{"refs":[{"id":"ref-for-relying-party\u2460\u24ea\u2464"},{"id":"ref-for-relying-party\u2460\u24ea\u2465"}],"title":"5.1.4.2. Issuing a Credential Request to an Authenticator"},{"refs":[{"id":"ref-for-relying-party\u2460\u24ea\u2466"}],"title":"5.1.6. Availability of User-Verifying Platform Authenticator - PublicKeyCredential\u2019s isUserVerifyingPlatformAuthenticatorAvailable() Method"},{"refs":[{"id":"ref-for-relying-party\u2460\u24ea\u2467"},{"id":"ref-for-relying-party\u2460\u24ea\u2468"}],"title":"5.1.7. Availability of client capabilities - PublicKeyCredential\u2019s getClientCapabilities() Method"},{"refs":[{"id":"ref-for-relying-party\u2460\u2460\u24ea"},{"id":"ref-for-relying-party\u2460\u2460\u2460"}],"title":"5.1.10.3. signalAllAcceptedCredentials(options)"},{"refs":[{"id":"ref-for-relying-party\u2460\u2460\u2461"}],"title":"5.2. Authenticator Responses (interface AuthenticatorResponse)"},{"refs":[{"id":"ref-for-relying-party\u2460\u2460\u2462"},{"id":"ref-for-relying-party\u2460\u2460\u2463"}],"title":"5.2.1. Information About Public Key Credential (interface AuthenticatorAttestationResponse)"},{"refs":[{"id":"ref-for-relying-party\u2460\u2460\u2464"},{"id":"ref-for-relying-party\u2460\u2460\u2465"},{"id":"ref-for-relying-party\u2460\u2460\u2466"},{"id":"ref-for-relying-party\u2460\u2460\u2467"},{"id":"ref-for-relying-party\u2460\u2460\u2468"},{"id":"ref-for-relying-party\u2460\u2461\u24ea"},{"id":"ref-for-relying-party\u2460\u2461\u2460"}],"title":"5.2.1.1. Easily accessing credential data"},{"refs":[{"id":"ref-for-relying-party\u2460\u2461\u2461"},{"id":"ref-for-relying-party\u2460\u2461\u2462"},{"id":"ref-for-relying-party\u2460\u2461\u2463"},{"id":"ref-for-relying-party\u2460\u2461\u2464"},{"id":"ref-for-relying-party\u2460\u2461\u2465"},{"id":"ref-for-relying-party\u2460\u2461\u2466"},{"id":"ref-for-relying-party\u2460\u2461\u2467"},{"id":"ref-for-relying-party\u2460\u2461\u2468"},{"id":"ref-for-relying-party\u2460\u2462\u24ea"},{"id":"ref-for-relying-party\u2460\u2462\u2460"},{"id":"ref-for-relying-party\u2460\u2462\u2461"}],"title":"5.4. Options for Credential Creation (dictionary PublicKeyCredentialCreationOptions)"},{"refs":[{"id":"ref-for-relying-party\u2460\u2462\u2462"},{"id":"ref-for-relying-party\u2460\u2462\u2463"},{"id":"ref-for-relying-party\u2460\u2462\u2464"},{"id":"ref-for-relying-party\u2460\u2462\u2465"},{"id":"ref-for-relying-party\u2460\u2462\u2466"},{"id":"ref-for-relying-party\u2460\u2462\u2467"},{"id":"ref-for-relying-party\u2460\u2462\u2468"}],"title":"5.4.1. Public Key Entity Description (dictionary PublicKeyCredentialEntity)"},{"refs":[{"id":"ref-for-relying-party\u2460\u2463\u24ea"},{"id":"ref-for-relying-party\u2460\u2463\u2460"}],"title":"5.4.2. Relying Party Parameters for Credential Generation (dictionary PublicKeyCredentialRpEntity)"},{"refs":[{"id":"ref-for-relying-party\u2460\u2463\u2461"},{"id":"ref-for-relying-party\u2460\u2463\u2462"},{"id":"ref-for-relying-party\u2460\u2463\u2463"},{"id":"ref-for-relying-party\u2460\u2463\u2464"},{"id":"ref-for-relying-party\u2460\u2463\u2465"}],"title":"5.4.3. User Account Parameters for Credential Generation (dictionary PublicKeyCredentialUserEntity)"},{"refs":[{"id":"ref-for-relying-party\u2460\u2463\u2466"},{"id":"ref-for-relying-party\u2460\u2463\u2467"},{"id":"ref-for-relying-party\u2460\u2463\u2468"}],"title":"5.4.4. Authenticator Selection Criteria (dictionary AuthenticatorSelectionCriteria)"},{"refs":[{"id":"ref-for-relying-party\u2460\u2464\u24ea"},{"id":"ref-for-relying-party\u2460\u2464\u2460"},{"id":"ref-for-relying-party\u2460\u2464\u2461"}],"title":"5.4.5. Authenticator Attachment Enumeration (enum AuthenticatorAttachment)"},{"refs":[{"id":"ref-for-relying-party\u2460\u2464\u2462"},{"id":"ref-for-relying-party\u2460\u2464\u2463"},{"id":"ref-for-relying-party\u2460\u2464\u2464"},{"id":"ref-for-relying-party\u2460\u2464\u2465"},{"id":"ref-for-relying-party\u2460\u2464\u2466"},{"id":"ref-for-relying-party\u2460\u2464\u2467"}],"title":"5.4.6. Resident Key Requirement Enumeration (enum ResidentKeyRequirement)"},{"refs":[{"id":"ref-for-relying-party\u2460\u2464\u2468"},{"id":"ref-for-relying-party\u2460\u2465\u24ea"},{"id":"ref-for-relying-party\u2460\u2465\u2460"},{"id":"ref-for-relying-party\u2460\u2465\u2461"},{"id":"ref-for-relying-party\u2460\u2465\u2462"},{"id":"ref-for-relying-party\u2460\u2465\u2463"},{"id":"ref-for-relying-party\u2460\u2465\u2464"},{"id":"ref-for-relying-party\u2460\u2465\u2465"}],"title":"5.4.7. Attestation Conveyance Preference Enumeration (enum AttestationConveyancePreference)"},{"refs":[{"id":"ref-for-relying-party\u2460\u2465\u2466"},{"id":"ref-for-relying-party\u2460\u2465\u2467"},{"id":"ref-for-relying-party\u2460\u2465\u2468"},{"id":"ref-for-relying-party\u2460\u2466\u24ea"},{"id":"ref-for-relying-party\u2460\u2466\u2460"},{"id":"ref-for-relying-party\u2460\u2466\u2461"},{"id":"ref-for-relying-party\u2460\u2466\u2462"},{"id":"ref-for-relying-party\u2460\u2466\u2463"},{"id":"ref-for-relying-party\u2460\u2466\u2464"}],"title":"5.5. Options for Assertion Generation (dictionary PublicKeyCredentialRequestOptions)"},{"refs":[{"id":"ref-for-relying-party\u2460\u2466\u2465"}],"title":"5.7.3. Authentication Extensions Authenticator Inputs (CDDL type AuthenticationExtensionsAuthenticatorInputs)"},{"refs":[{"id":"ref-for-relying-party\u2460\u2466\u2466"},{"id":"ref-for-relying-party\u2460\u2466\u2467"},{"id":"ref-for-relying-party\u2460\u2466\u2468"},{"id":"ref-for-relying-party\u2460\u2467\u24ea"},{"id":"ref-for-relying-party\u2460\u2467\u2460"}],"title":"5.8.1. Client Data Used in WebAuthn Signatures (dictionary CollectedClientData)"},{"refs":[{"id":"ref-for-relying-party\u2460\u2467\u2461"}],"title":"5.8.4. Authenticator Transport Enumeration (enum AuthenticatorTransport)"},{"refs":[{"id":"ref-for-relying-party\u2460\u2467\u2462"},{"id":"ref-for-relying-party\u2460\u2467\u2463"},{"id":"ref-for-relying-party\u2460\u2467\u2464"}],"title":"5.8.6. User Verification Requirement Enumeration (enum UserVerificationRequirement)"},{"refs":[{"id":"ref-for-relying-party\u2460\u2467\u2465"}],"title":"5.8.7. Client Capability Enumeration (enum ClientCapability)"},{"refs":[{"id":"ref-for-relying-party\u2460\u2467\u2466"},{"id":"ref-for-relying-party\u2460\u2467\u2467"},{"id":"ref-for-relying-party\u2460\u2467\u2468"},{"id":"ref-for-relying-party\u2460\u2468\u24ea"},{"id":"ref-for-relying-party\u2460\u2468\u2460"},{"id":"ref-for-relying-party\u2460\u2468\u2461"},{"id":"ref-for-relying-party\u2460\u2468\u2462"}],"title":"5.8.8. User-agent Hints Enumeration (enum PublicKeyCredentialHint)"},{"refs":[{"id":"ref-for-relying-party\u2460\u2468\u2463"}],"title":"5.10. Using Web Authentication within iframe elements"},{"refs":[{"id":"ref-for-relying-party\u2460\u2468\u2464"}],"title":"5.11. Using Web Authentication across related origins"},{"refs":[{"id":"ref-for-relying-party\u2460\u2468\u2465"},{"id":"ref-for-relying-party\u2460\u2468\u2466"},{"id":"ref-for-relying-party\u2460\u2468\u2467"},{"id":"ref-for-relying-party\u2460\u2468\u2468"},{"id":"ref-for-relying-party\u2461\u24ea\u24ea"}],"title":"6. WebAuthn Authenticator Model"},{"refs":[{"id":"ref-for-relying-party\u2461\u24ea\u2460"}],"title":"6.1. Authenticator Data"},{"refs":[{"id":"ref-for-relying-party\u2461\u24ea\u2461"},{"id":"ref-for-relying-party\u2461\u24ea\u2462"},{"id":"ref-for-relying-party\u2461\u24ea\u2463"},{"id":"ref-for-relying-party\u2461\u24ea\u2464"},{"id":"ref-for-relying-party\u2461\u24ea\u2465"}],"title":"6.1.1. Signature Counter Considerations"},{"refs":[{"id":"ref-for-relying-party\u2461\u24ea\u2466"},{"id":"ref-for-relying-party\u2461\u24ea\u2467"},{"id":"ref-for-relying-party\u2461\u24ea\u2468"},{"id":"ref-for-relying-party\u2461\u2460\u24ea"},{"id":"ref-for-relying-party\u2461\u2460\u2460"}],"title":"6.1.3. Credential Backup State"},{"refs":[{"id":"ref-for-relying-party\u2461\u2460\u2461"}],"title":"6.2. Authenticator Taxonomy"},{"refs":[{"id":"ref-for-relying-party\u2461\u2460\u2462"},{"id":"ref-for-relying-party\u2461\u2460\u2463"},{"id":"ref-for-relying-party\u2461\u2460\u2464"}],"title":"6.2.2. Credential Storage Modality"},{"refs":[{"id":"ref-for-relying-party\u2461\u2460\u2465"},{"id":"ref-for-relying-party\u2461\u2460\u2466"},{"id":"ref-for-relying-party\u2461\u2460\u2467"}],"title":"6.2.3. Authentication Factor Capability"},{"refs":[{"id":"ref-for-relying-party\u2461\u2460\u2468"},{"id":"ref-for-relying-party\u2461\u2461\u24ea"},{"id":"ref-for-relying-party\u2461\u2461\u2460"},{"id":"ref-for-relying-party\u2461\u2461\u2461"},{"id":"ref-for-relying-party\u2461\u2461\u2462"},{"id":"ref-for-relying-party\u2461\u2461\u2463"},{"id":"ref-for-relying-party\u2461\u2461\u2464"}],"title":"6.3.2. The authenticatorMakeCredential Operation"},{"refs":[{"id":"ref-for-relying-party\u2461\u2461\u2465"},{"id":"ref-for-relying-party\u2461\u2461\u2466"},{"id":"ref-for-relying-party\u2461\u2461\u2467"}],"title":"6.3.3. The authenticatorGetAssertion Operation"},{"refs":[{"id":"ref-for-relying-party\u2461\u2461\u2468"}],"title":"6.4. String Handling"},{"refs":[{"id":"ref-for-relying-party\u2461\u2462\u24ea"}],"title":"6.4.1.1. String Truncation by Clients"},{"refs":[{"id":"ref-for-relying-party\u2461\u2462\u2460"},{"id":"ref-for-relying-party\u2461\u2462\u2461"},{"id":"ref-for-relying-party\u2461\u2462\u2462"},{"id":"ref-for-relying-party\u2461\u2462\u2463"},{"id":"ref-for-relying-party\u2461\u2462\u2464"},{"id":"ref-for-relying-party\u2461\u2462\u2465"},{"id":"ref-for-relying-party\u2461\u2462\u2466"},{"id":"ref-for-relying-party\u2461\u2462\u2467"}],"title":"6.5. Attestation"},{"refs":[{"id":"ref-for-relying-party\u2461\u2462\u2468"},{"id":"ref-for-relying-party\u2461\u2463\u24ea"},{"id":"ref-for-relying-party\u2461\u2463\u2460"},{"id":"ref-for-relying-party\u2461\u2463\u2461"},{"id":"ref-for-relying-party\u2461\u2463\u2462"}],"title":"6.5.3. Attestation Types"},{"refs":[{"id":"ref-for-relying-party\u2461\u2463\u2463"},{"id":"ref-for-relying-party\u2461\u2463\u2464"},{"id":"ref-for-relying-party\u2461\u2463\u2465"},{"id":"ref-for-relying-party\u2461\u2463\u2466"}],"title":"7. WebAuthn Relying Party Operations"},{"refs":[{"id":"ref-for-relying-party\u2461\u2463\u2467"},{"id":"ref-for-relying-party\u2461\u2463\u2468"},{"id":"ref-for-relying-party\u2461\u2464\u24ea"},{"id":"ref-for-relying-party\u2461\u2464\u2460"},{"id":"ref-for-relying-party\u2461\u2464\u2461"},{"id":"ref-for-relying-party\u2461\u2464\u2462"},{"id":"ref-for-relying-party\u2461\u2464\u2463"},{"id":"ref-for-relying-party\u2461\u2464\u2464"},{"id":"ref-for-relying-party\u2461\u2464\u2465"},{"id":"ref-for-relying-party\u2461\u2464\u2466"},{"id":"ref-for-relying-party\u2461\u2464\u2467"},{"id":"ref-for-relying-party\u2461\u2464\u2468"},{"id":"ref-for-relying-party\u2461\u2465\u24ea"},{"id":"ref-for-relying-party\u2461\u2465\u2460"},{"id":"ref-for-relying-party\u2461\u2465\u2461"},{"id":"ref-for-relying-party\u2461\u2465\u2462"},{"id":"ref-for-relying-party\u2461\u2465\u2463"},{"id":"ref-for-relying-party\u2461\u2465\u2464"},{"id":"ref-for-relying-party\u2461\u2465\u2465"},{"id":"ref-for-relying-party\u2461\u2465\u2466"},{"id":"ref-for-relying-party\u2461\u2465\u2467"},{"id":"ref-for-relying-party\u2461\u2465\u2468"},{"id":"ref-for-relying-party\u2461\u2466\u24ea"},{"id":"ref-for-relying-party\u2461\u2466\u2460"},{"id":"ref-for-relying-party\u2461\u2466\u2461"},{"id":"ref-for-relying-party\u2461\u2466\u2462"}],"title":"7.1. Registering a New Credential"},{"refs":[{"id":"ref-for-relying-party\u2461\u2466\u2463"},{"id":"ref-for-relying-party\u2461\u2466\u2464"},{"id":"ref-for-relying-party\u2461\u2466\u2465"},{"id":"ref-for-relying-party\u2461\u2466\u2466"},{"id":"ref-for-relying-party\u2461\u2466\u2467"},{"id":"ref-for-relying-party\u2461\u2466\u2468"},{"id":"ref-for-relying-party\u2461\u2467\u24ea"},{"id":"ref-for-relying-party\u2461\u2467\u2460"},{"id":"ref-for-relying-party\u2461\u2467\u2461"},{"id":"ref-for-relying-party\u2461\u2467\u2462"},{"id":"ref-for-relying-party\u2461\u2467\u2463"},{"id":"ref-for-relying-party\u2461\u2467\u2464"},{"id":"ref-for-relying-party\u2461\u2467\u2465"},{"id":"ref-for-relying-party\u2461\u2467\u2466"},{"id":"ref-for-relying-party\u2461\u2467\u2467"},{"id":"ref-for-relying-party\u2461\u2467\u2468"},{"id":"ref-for-relying-party\u2461\u2468\u24ea"},{"id":"ref-for-relying-party\u2461\u2468\u2460"}],"title":"7.2. Verifying an Authentication Assertion"},{"refs":[{"id":"ref-for-relying-party\u2461\u2468\u2461"},{"id":"ref-for-relying-party\u2461\u2468\u2462"}],"title":"8.2.1. Certificate Requirements for Packed Attestation Statements"},{"refs":[{"id":"ref-for-relying-party\u2461\u2468\u2463"},{"id":"ref-for-relying-party\u2461\u2468\u2464"}],"title":"8.9. Compound Attestation Statement Format"},{"refs":[{"id":"ref-for-relying-party\u2461\u2468\u2465"},{"id":"ref-for-relying-party\u2461\u2468\u2466"},{"id":"ref-for-relying-party\u2461\u2468\u2467"}],"title":"9. WebAuthn Extensions"},{"refs":[{"id":"ref-for-relying-party\u2461\u2468\u2468"}],"title":"9.2. Defining Extensions"},{"refs":[{"id":"ref-for-relying-party\u2462\u24ea\u24ea"},{"id":"ref-for-relying-party\u2462\u24ea\u2460"},{"id":"ref-for-relying-party\u2462\u24ea\u2461"}],"title":"9.3. Extending Request Parameters"},{"refs":[{"id":"ref-for-relying-party\u2462\u24ea\u2462"}],"title":"9.5. Authenticator Extension Processing"},{"refs":[{"id":"ref-for-relying-party\u2462\u24ea\u2463"},{"id":"ref-for-relying-party\u2462\u24ea\u2464"},{"id":"ref-for-relying-party\u2462\u24ea\u2465"},{"id":"ref-for-relying-party\u2462\u24ea\u2466"},{"id":"ref-for-relying-party\u2462\u24ea\u2467"}],"title":"10.1.1. FIDO AppID Extension (appid)"},{"refs":[{"id":"ref-for-relying-party\u2462\u24ea\u2468"},{"id":"ref-for-relying-party\u2462\u2460\u24ea"}],"title":"10.1.2. FIDO AppID Exclusion Extension (appidExclude)"},{"refs":[{"id":"ref-for-relying-party\u2462\u2460\u2460"},{"id":"ref-for-relying-party\u2462\u2460\u2461"},{"id":"ref-for-relying-party\u2462\u2460\u2462"},{"id":"ref-for-relying-party\u2462\u2460\u2463"},{"id":"ref-for-relying-party\u2462\u2460\u2464"},{"id":"ref-for-relying-party\u2462\u2460\u2465"}],"title":"10.1.3. Credential Properties Extension (credProps)"},{"refs":[{"id":"ref-for-relying-party\u2462\u2460\u2466"},{"id":"ref-for-relying-party\u2462\u2460\u2467"},{"id":"ref-for-relying-party\u2462\u2460\u2468"}],"title":"10.1.4. Pseudo-random function extension (prf)"},{"refs":[{"id":"ref-for-relying-party\u2462\u2461\u24ea"},{"id":"ref-for-relying-party\u2462\u2461\u2460"},{"id":"ref-for-relying-party\u2462\u2461\u2461"},{"id":"ref-for-relying-party\u2462\u2461\u2462"},{"id":"ref-for-relying-party\u2462\u2461\u2463"},{"id":"ref-for-relying-party\u2462\u2461\u2464"},{"id":"ref-for-relying-party\u2462\u2461\u2465"},{"id":"ref-for-relying-party\u2462\u2461\u2466"}],"title":"10.1.5. Large blob storage extension (largeBlob)"},{"refs":[{"id":"ref-for-relying-party\u2462\u2461\u2467"}],"title":"12.4. WebAuthn Extension Identifier Registrations"},{"refs":[{"id":"ref-for-relying-party\u2462\u2461\u2468"},{"id":"ref-for-relying-party\u2462\u2462\u24ea"},{"id":"ref-for-relying-party\u2462\u2462\u2460"},{"id":"ref-for-relying-party\u2462\u2462\u2461"}],"title":"13. Security Considerations"},{"refs":[{"id":"ref-for-relying-party\u2462\u2462\u2462"},{"id":"ref-for-relying-party\u2462\u2462\u2463"}],"title":"13.2. Physical Proximity between Client and Authenticator"},{"refs":[{"id":"ref-for-relying-party\u2462\u2462\u2464"},{"id":"ref-for-relying-party\u2462\u2462\u2465"}],"title":"13.3.2. Attestation Certificate and Attestation Certificate CA Compromise"},{"refs":[{"id":"ref-for-relying-party\u2462\u2462\u2466"}],"title":"13.4. Security considerations for Relying Parties"},{"refs":[{"id":"ref-for-relying-party\u2462\u2462\u2467"},{"id":"ref-for-relying-party\u2462\u2462\u2468"},{"id":"ref-for-relying-party\u2462\u2463\u24ea"},{"id":"ref-for-relying-party\u2462\u2463\u2460"},{"id":"ref-for-relying-party\u2462\u2463\u2461"},{"id":"ref-for-relying-party\u2462\u2463\u2462"}],"title":"13.4.1. Security Benefits for WebAuthn Relying Parties"},{"refs":[{"id":"ref-for-relying-party\u2462\u2463\u2463"},{"id":"ref-for-relying-party\u2462\u2463\u2464"},{"id":"ref-for-relying-party\u2462\u2463\u2465"},{"id":"ref-for-relying-party\u2462\u2463\u2466"}],"title":"13.4.2. Visibility Considerations for Embedded Usage"},{"refs":[{"id":"ref-for-relying-party\u2462\u2463\u2467"},{"id":"ref-for-relying-party\u2462\u2463\u2468"}],"title":"13.4.3. Cryptographic Challenges"},{"refs":[{"id":"ref-for-relying-party\u2462\u2464\u24ea"},{"id":"ref-for-relying-party\u2462\u2464\u2460"},{"id":"ref-for-relying-party\u2462\u2464\u2461"},{"id":"ref-for-relying-party\u2462\u2464\u2462"},{"id":"ref-for-relying-party\u2462\u2464\u2463"},{"id":"ref-for-relying-party\u2462\u2464\u2464"},{"id":"ref-for-relying-party\u2462\u2464\u2465"},{"id":"ref-for-relying-party\u2462\u2464\u2466"}],"title":"13.4.4. Attestation Limitations"},{"refs":[{"id":"ref-for-relying-party\u2462\u2464\u2467"},{"id":"ref-for-relying-party\u2462\u2464\u2468"},{"id":"ref-for-relying-party\u2462\u2465\u24ea"}],"title":"13.4.5. Revoked Attestation Certificates"},{"refs":[{"id":"ref-for-relying-party\u2462\u2465\u2460"},{"id":"ref-for-relying-party\u2462\u2465\u2461"},{"id":"ref-for-relying-party\u2462\u2465\u2462"}],"title":"13.4.6. Credential Loss and Key Mobility"},{"refs":[{"id":"ref-for-relying-party\u2462\u2465\u2463"},{"id":"ref-for-relying-party\u2462\u2465\u2464"}],"title":"13.4.7. Unprotected account detection"},{"refs":[{"id":"ref-for-relying-party\u2462\u2465\u2465"},{"id":"ref-for-relying-party\u2462\u2465\u2466"},{"id":"ref-for-relying-party\u2462\u2465\u2467"},{"id":"ref-for-relying-party\u2462\u2465\u2468"},{"id":"ref-for-relying-party\u2462\u2466\u24ea"},{"id":"ref-for-relying-party\u2462\u2466\u2460"},{"id":"ref-for-relying-party\u2462\u2466\u2461"},{"id":"ref-for-relying-party\u2462\u2466\u2462"},{"id":"ref-for-relying-party\u2462\u2466\u2463"}],"title":"13.4.8. Code injection attacks"},{"refs":[{"id":"ref-for-relying-party\u2462\u2466\u2464"},{"id":"ref-for-relying-party\u2462\u2466\u2465"},{"id":"ref-for-relying-party\u2462\u2466\u2466"},{"id":"ref-for-relying-party\u2462\u2466\u2467"},{"id":"ref-for-relying-party\u2462\u2466\u2468"},{"id":"ref-for-relying-party\u2462\u2467\u24ea"},{"id":"ref-for-relying-party\u2462\u2467\u2460"}],"title":"13.4.9. Validating the origin of a credential"},{"refs":[{"id":"ref-for-relying-party\u2462\u2467\u2461"}],"title":"14. Privacy Considerations"},{"refs":[{"id":"ref-for-relying-party\u2462\u2467\u2462"},{"id":"ref-for-relying-party\u2462\u2467\u2463"},{"id":"ref-for-relying-party\u2462\u2467\u2464"},{"id":"ref-for-relying-party\u2462\u2467\u2465"},{"id":"ref-for-relying-party\u2462\u2467\u2466"},{"id":"ref-for-relying-party\u2462\u2467\u2467"},{"id":"ref-for-relying-party\u2462\u2467\u2468"}],"title":"14.1. De-anonymization Prevention Measures"},{"refs":[{"id":"ref-for-relying-party\u2462\u2468\u24ea"},{"id":"ref-for-relying-party\u2462\u2468\u2460"},{"id":"ref-for-relying-party\u2462\u2468\u2461"},{"id":"ref-for-relying-party\u2462\u2468\u2462"},{"id":"ref-for-relying-party\u2462\u2468\u2463"},{"id":"ref-for-relying-party\u2462\u2468\u2464"},{"id":"ref-for-relying-party\u2462\u2468\u2465"},{"id":"ref-for-relying-party\u2462\u2468\u2466"},{"id":"ref-for-relying-party\u2462\u2468\u2467"},{"id":"ref-for-relying-party\u2462\u2468\u2468"},{"id":"ref-for-relying-party\u2463\u24ea\u24ea"}],"title":"14.2. Anonymous, Scoped, Non-correlatable Public Key Credentials"},{"refs":[{"id":"ref-for-relying-party\u2463\u24ea\u2460"},{"id":"ref-for-relying-party\u2463\u24ea\u2461"},{"id":"ref-for-relying-party\u2463\u24ea\u2462"},{"id":"ref-for-relying-party\u2463\u24ea\u2463"},{"id":"ref-for-relying-party\u2463\u24ea\u2464"}],"title":"14.3. Authenticator-local Biometric Recognition"},{"refs":[{"id":"ref-for-relying-party\u2463\u24ea\u2465"},{"id":"ref-for-relying-party\u2463\u24ea\u2466"},{"id":"ref-for-relying-party\u2463\u24ea\u2467"}],"title":"14.5.1. Registration Ceremony Privacy"},{"refs":[{"id":"ref-for-relying-party\u2463\u24ea\u2468"},{"id":"ref-for-relying-party\u2463\u2460\u24ea"},{"id":"ref-for-relying-party\u2463\u2460\u2460"},{"id":"ref-for-relying-party\u2463\u2460\u2461"}],"title":"14.5.2. Authentication Ceremony Privacy"},{"refs":[{"id":"ref-for-relying-party\u2463\u2460\u2462"}],"title":"14.6. Privacy considerations for Relying Parties"},{"refs":[{"id":"ref-for-relying-party\u2463\u2460\u2463"},{"id":"ref-for-relying-party\u2463\u2460\u2464"}],"title":"14.6.1. User Handle Contents"},{"refs":[{"id":"ref-for-relying-party\u2463\u2460\u2465"},{"id":"ref-for-relying-party\u2463\u2460\u2466"},{"id":"ref-for-relying-party\u2463\u2460\u2467"},{"id":"ref-for-relying-party\u2463\u2460\u2468"},{"id":"ref-for-relying-party\u2463\u2461\u24ea"},{"id":"ref-for-relying-party\u2463\u2461\u2460"},{"id":"ref-for-relying-party\u2463\u2461\u2461"},{"id":"ref-for-relying-party\u2463\u2461\u2462"},{"id":"ref-for-relying-party\u2463\u2461\u2463"},{"id":"ref-for-relying-party\u2463\u2461\u2464"},{"id":"ref-for-relying-party\u2463\u2461\u2465"},{"id":"ref-for-relying-party\u2463\u2461\u2466"}],"title":"14.6.2. Username Enumeration"},{"refs":[{"id":"ref-for-relying-party\u2463\u2461\u2467"},{"id":"ref-for-relying-party\u2463\u2461\u2468"},{"id":"ref-for-relying-party\u2463\u2462\u24ea"},{"id":"ref-for-relying-party\u2463\u2462\u2460"},{"id":"ref-for-relying-party\u2463\u2462\u2461"}],"title":"14.6.3. Privacy leak via credential IDs"},{"refs":[{"id":"ref-for-relying-party\u2463\u2462\u2462"}],"title":"15. Accessibility Considerations"},{"refs":[{"id":"ref-for-relying-party\u2463\u2462\u2463"}],"title":"15.1. Recommended Range for Ceremony Timeouts"}],"url":"#relying-party"}, "relying-party-identifier": {"dfnID":"relying-party-identifier","dfnText":"Relying Party Identifier","external":false,"refSections":[{"refs":[{"id":"ref-for-relying-party-identifier"},{"id":"ref-for-relying-party-identifier\u2460"},{"id":"ref-for-relying-party-identifier\u2461"}],"title":"4. Terminology"},{"refs":[{"id":"ref-for-relying-party-identifier\u2462"}],"title":"5. Web Authentication API"},{"refs":[{"id":"ref-for-relying-party-identifier\u2463"}],"title":"6.3.5. The silentCredentialDiscovery operation"}],"url":"#relying-party-identifier"}, "remove-all-credentials": {"dfnID":"remove-all-credentials","dfnText":"Remove All Credentials","external":false,"refSections":[{"refs":[{"id":"ref-for-remove-all-credentials"}],"title":"11.8. Remove All Credentials"}],"url":"#remove-all-credentials"}, "remove-credential": {"dfnID":"remove-credential","dfnText":"Remove Credential","external":false,"refSections":[{"refs":[{"id":"ref-for-remove-credential"}],"title":"11.7. Remove Credential"}],"url":"#remove-credential"}, @@ -11770,7 +11773,7 @@ <h2 class="no-num no-ref heading settled" id="issues-index"><span class="content "resident-key": {"dfnID":"resident-key","dfnText":"Resident Key","external":false,"refSections":[{"refs":[{"id":"ref-for-resident-key"},{"id":"ref-for-resident-key\u2460"}],"title":"4. Terminology"},{"refs":[{"id":"ref-for-resident-key\u2461"}],"title":"5.4.6. Resident Key Requirement Enumeration (enum ResidentKeyRequirement)"}],"url":"#resident-key"}, "roaming-authenticators": {"dfnID":"roaming-authenticators","dfnText":"roaming authenticators","external":false,"refSections":[{"refs":[{"id":"ref-for-roaming-authenticators"}],"title":"1. Introduction"},{"refs":[{"id":"ref-for-roaming-authenticators\u2460"},{"id":"ref-for-roaming-authenticators\u2461"}],"title":"1.2.3. New Device Registration"},{"refs":[{"id":"ref-for-roaming-authenticators\u2462"}],"title":"1.2.4. Other Use Cases and Configurations"},{"refs":[{"id":"ref-for-roaming-authenticators\u2463"}],"title":"1.3.1. Registration"},{"refs":[{"id":"ref-for-roaming-authenticators\u2464"}],"title":"4. Terminology"},{"refs":[{"id":"ref-for-roaming-authenticators\u2465"}],"title":"5.1. PublicKeyCredential Interface"},{"refs":[{"id":"ref-for-roaming-authenticators\u2466"},{"id":"ref-for-roaming-authenticators\u2467"}],"title":"6.1.3. Credential Backup State"},{"refs":[{"id":"ref-for-roaming-authenticators\u2468"},{"id":"ref-for-roaming-authenticators\u2460\u24ea"},{"id":"ref-for-roaming-authenticators\u2460\u2460"},{"id":"ref-for-roaming-authenticators\u2460\u2461"},{"id":"ref-for-roaming-authenticators\u2460\u2462"},{"id":"ref-for-roaming-authenticators\u2460\u2463"}],"title":"6.2. Authenticator Taxonomy"},{"refs":[{"id":"ref-for-roaming-authenticators\u2460\u2464"},{"id":"ref-for-roaming-authenticators\u2460\u2465"},{"id":"ref-for-roaming-authenticators\u2460\u2466"},{"id":"ref-for-roaming-authenticators\u2460\u2467"},{"id":"ref-for-roaming-authenticators\u2460\u2468"},{"id":"ref-for-roaming-authenticators\u2461\u24ea"},{"id":"ref-for-roaming-authenticators\u2461\u2460"},{"id":"ref-for-roaming-authenticators\u2461\u2461"}],"title":"6.2.1. Authenticator Attachment Modality"},{"refs":[{"id":"ref-for-roaming-authenticators\u2461\u2462"}],"title":"10.1.5. Large blob storage extension (largeBlob)"},{"refs":[{"id":"ref-for-roaming-authenticators\u2461\u2463"},{"id":"ref-for-roaming-authenticators\u2461\u2464"}],"title":"13.2. Physical Proximity between Client and Authenticator"},{"refs":[{"id":"ref-for-roaming-authenticators\u2461\u2465"},{"id":"ref-for-roaming-authenticators\u2461\u2466"}],"title":"15. Accessibility Considerations"}],"url":"#roaming-authenticators"}, "roaming-credential": {"dfnID":"roaming-credential","dfnText":"roaming\ncredential","external":false,"refSections":[{"refs":[{"id":"ref-for-roaming-credential"}],"title":"5.4.5. Authenticator Attachment Enumeration (enum AuthenticatorAttachment)"},{"refs":[{"id":"ref-for-roaming-credential\u2460"}],"title":"13.4.6. Credential Loss and Key Mobility"}],"url":"#roaming-credential"}, -"rp-id": {"dfnID":"rp-id","dfnText":"RP ID","external":false,"refSections":[{"refs":[{"id":"ref-for-rp-id"},{"id":"ref-for-rp-id\u2460"},{"id":"ref-for-rp-id\u2461"},{"id":"ref-for-rp-id\u2462"},{"id":"ref-for-rp-id\u2463"},{"id":"ref-for-rp-id\u2464"},{"id":"ref-for-rp-id\u2465"},{"id":"ref-for-rp-id\u2466"},{"id":"ref-for-rp-id\u2467"},{"id":"ref-for-rp-id\u2468"},{"id":"ref-for-rp-id\u2460\u24ea"},{"id":"ref-for-rp-id\u2460\u2460"}],"title":"4. Terminology"},{"refs":[{"id":"ref-for-rp-id\u2460\u2461"},{"id":"ref-for-rp-id\u2460\u2462"},{"id":"ref-for-rp-id\u2460\u2463"},{"id":"ref-for-rp-id\u2460\u2464"},{"id":"ref-for-rp-id\u2460\u2465"}],"title":"5. Web Authentication API"},{"refs":[{"id":"ref-for-rp-id\u2460\u2466"},{"id":"ref-for-rp-id\u2460\u2467"}],"title":"5.1.3. Create a New Credential - PublicKeyCredential\u2019s [[Create]](origin, options, sameOriginWithAncestors) Method"},{"refs":[{"id":"ref-for-rp-id\u2460\u2468"},{"id":"ref-for-rp-id\u2461\u24ea"}],"title":"5.1.4.1. PublicKeyCredential\u2019s [[DiscoverFromExternalSource]](origin, options, sameOriginWithAncestors) Method"},{"refs":[{"id":"ref-for-rp-id\u2461\u2460"}],"title":"5.1.4.2. Issuing a Credential Request to an Authenticator"},{"refs":[{"id":"ref-for-rp-id\u2461\u2461"}],"title":"5.1.10.1. Asynchronous RP ID validation algorithm"},{"refs":[{"id":"ref-for-rp-id\u2461\u2462"}],"title":"5.4. Options for Credential Creation (dictionary PublicKeyCredentialCreationOptions)"},{"refs":[{"id":"ref-for-rp-id\u2461\u2463"}],"title":"5.4.2. Relying Party Parameters for Credential Generation (dictionary PublicKeyCredentialRpEntity)"},{"refs":[{"id":"ref-for-rp-id\u2461\u2464"}],"title":"5.4.7. Attestation Conveyance Preference Enumeration (enum AttestationConveyancePreference)"},{"refs":[{"id":"ref-for-rp-id\u2461\u2465"},{"id":"ref-for-rp-id\u2461\u2466"},{"id":"ref-for-rp-id\u2461\u2467"}],"title":"5.5. Options for Assertion Generation (dictionary PublicKeyCredentialRequestOptions)"},{"refs":[{"id":"ref-for-rp-id\u2461\u2468"},{"id":"ref-for-rp-id\u2462\u24ea"},{"id":"ref-for-rp-id\u2462\u2460"}],"title":"5.11. Using Web Authentication across related origins"},{"refs":[{"id":"ref-for-rp-id\u2462\u2461"},{"id":"ref-for-rp-id\u2462\u2462"},{"id":"ref-for-rp-id\u2462\u2463"},{"id":"ref-for-rp-id\u2462\u2464"},{"id":"ref-for-rp-id\u2462\u2465"},{"id":"ref-for-rp-id\u2462\u2466"}],"title":"6.1. Authenticator Data"},{"refs":[{"id":"ref-for-rp-id\u2462\u2467"}],"title":"6.3.2. The authenticatorMakeCredential Operation"},{"refs":[{"id":"ref-for-rp-id\u2462\u2468"}],"title":"6.3.3. The authenticatorGetAssertion Operation"},{"refs":[{"id":"ref-for-rp-id\u2463\u24ea"}],"title":"6.3.5. The silentCredentialDiscovery operation"},{"refs":[{"id":"ref-for-rp-id\u2463\u2460"}],"title":"7.1. Registering a New Credential"},{"refs":[{"id":"ref-for-rp-id\u2463\u2461"}],"title":"7.2. Verifying an Authentication Assertion"},{"refs":[{"id":"ref-for-rp-id\u2463\u2462"}],"title":"8.4. Android Key Attestation Statement Format"},{"refs":[{"id":"ref-for-rp-id\u2463\u2463"}],"title":"8.6. FIDO U2F Attestation Statement Format"},{"refs":[{"id":"ref-for-rp-id\u2463\u2464"},{"id":"ref-for-rp-id\u2463\u2465"},{"id":"ref-for-rp-id\u2463\u2466"},{"id":"ref-for-rp-id\u2463\u2467"},{"id":"ref-for-rp-id\u2463\u2468"},{"id":"ref-for-rp-id\u2464\u24ea"},{"id":"ref-for-rp-id\u2464\u2460"}],"title":"10.1.1. FIDO AppID Extension (appid)"},{"refs":[{"id":"ref-for-rp-id\u2464\u2461"}],"title":"11.5. Add Credential"},{"refs":[{"id":"ref-for-rp-id\u2464\u2462"},{"id":"ref-for-rp-id\u2464\u2463"}],"title":"13.4.8. Code injection attacks"},{"refs":[{"id":"ref-for-rp-id\u2464\u2464"},{"id":"ref-for-rp-id\u2464\u2465"},{"id":"ref-for-rp-id\u2464\u2466"},{"id":"ref-for-rp-id\u2464\u2467"},{"id":"ref-for-rp-id\u2464\u2468"}],"title":"13.4.9. Validating the origin of a credential"}],"url":"#rp-id"}, +"rp-id": {"dfnID":"rp-id","dfnText":"RP ID","external":false,"refSections":[{"refs":[{"id":"ref-for-rp-id"},{"id":"ref-for-rp-id\u2460"},{"id":"ref-for-rp-id\u2461"},{"id":"ref-for-rp-id\u2462"},{"id":"ref-for-rp-id\u2463"},{"id":"ref-for-rp-id\u2464"},{"id":"ref-for-rp-id\u2465"},{"id":"ref-for-rp-id\u2466"},{"id":"ref-for-rp-id\u2467"},{"id":"ref-for-rp-id\u2468"},{"id":"ref-for-rp-id\u2460\u24ea"},{"id":"ref-for-rp-id\u2460\u2460"}],"title":"4. Terminology"},{"refs":[{"id":"ref-for-rp-id\u2460\u2461"},{"id":"ref-for-rp-id\u2460\u2462"},{"id":"ref-for-rp-id\u2460\u2463"},{"id":"ref-for-rp-id\u2460\u2464"},{"id":"ref-for-rp-id\u2460\u2465"}],"title":"5. Web Authentication API"},{"refs":[{"id":"ref-for-rp-id\u2460\u2466"},{"id":"ref-for-rp-id\u2460\u2467"}],"title":"5.1.3. Create a New Credential - PublicKeyCredential\u2019s [[Create]](origin, options, sameOriginWithAncestors) Method"},{"refs":[{"id":"ref-for-rp-id\u2460\u2468"},{"id":"ref-for-rp-id\u2461\u24ea"}],"title":"5.1.4.1. PublicKeyCredential\u2019s [[DiscoverFromExternalSource]](origin, options, sameOriginWithAncestors) Method"},{"refs":[{"id":"ref-for-rp-id\u2461\u2460"}],"title":"5.1.4.2. Issuing a Credential Request to an Authenticator"},{"refs":[{"id":"ref-for-rp-id\u2461\u2461"}],"title":"5.1.10.1. Asynchronous RP ID validation algorithm"},{"refs":[{"id":"ref-for-rp-id\u2461\u2462"}],"title":"5.4. Options for Credential Creation (dictionary PublicKeyCredentialCreationOptions)"},{"refs":[{"id":"ref-for-rp-id\u2461\u2463"},{"id":"ref-for-rp-id\u2461\u2464"}],"title":"5.4.1. Public Key Entity Description (dictionary PublicKeyCredentialEntity)"},{"refs":[{"id":"ref-for-rp-id\u2461\u2465"}],"title":"5.4.2. Relying Party Parameters for Credential Generation (dictionary PublicKeyCredentialRpEntity)"},{"refs":[{"id":"ref-for-rp-id\u2461\u2466"}],"title":"5.4.7. Attestation Conveyance Preference Enumeration (enum AttestationConveyancePreference)"},{"refs":[{"id":"ref-for-rp-id\u2461\u2467"},{"id":"ref-for-rp-id\u2461\u2468"},{"id":"ref-for-rp-id\u2462\u24ea"}],"title":"5.5. Options for Assertion Generation (dictionary PublicKeyCredentialRequestOptions)"},{"refs":[{"id":"ref-for-rp-id\u2462\u2460"},{"id":"ref-for-rp-id\u2462\u2461"},{"id":"ref-for-rp-id\u2462\u2462"}],"title":"5.11. Using Web Authentication across related origins"},{"refs":[{"id":"ref-for-rp-id\u2462\u2463"},{"id":"ref-for-rp-id\u2462\u2464"},{"id":"ref-for-rp-id\u2462\u2465"},{"id":"ref-for-rp-id\u2462\u2466"},{"id":"ref-for-rp-id\u2462\u2467"},{"id":"ref-for-rp-id\u2462\u2468"}],"title":"6.1. Authenticator Data"},{"refs":[{"id":"ref-for-rp-id\u2463\u24ea"}],"title":"6.3.2. The authenticatorMakeCredential Operation"},{"refs":[{"id":"ref-for-rp-id\u2463\u2460"}],"title":"6.3.3. The authenticatorGetAssertion Operation"},{"refs":[{"id":"ref-for-rp-id\u2463\u2461"}],"title":"6.3.5. The silentCredentialDiscovery operation"},{"refs":[{"id":"ref-for-rp-id\u2463\u2462"}],"title":"7.1. Registering a New Credential"},{"refs":[{"id":"ref-for-rp-id\u2463\u2463"}],"title":"7.2. Verifying an Authentication Assertion"},{"refs":[{"id":"ref-for-rp-id\u2463\u2464"}],"title":"8.4. Android Key Attestation Statement Format"},{"refs":[{"id":"ref-for-rp-id\u2463\u2465"}],"title":"8.6. FIDO U2F Attestation Statement Format"},{"refs":[{"id":"ref-for-rp-id\u2463\u2466"},{"id":"ref-for-rp-id\u2463\u2467"},{"id":"ref-for-rp-id\u2463\u2468"},{"id":"ref-for-rp-id\u2464\u24ea"},{"id":"ref-for-rp-id\u2464\u2460"},{"id":"ref-for-rp-id\u2464\u2461"},{"id":"ref-for-rp-id\u2464\u2462"}],"title":"10.1.1. FIDO AppID Extension (appid)"},{"refs":[{"id":"ref-for-rp-id\u2464\u2463"}],"title":"11.5. Add Credential"},{"refs":[{"id":"ref-for-rp-id\u2464\u2464"},{"id":"ref-for-rp-id\u2464\u2465"}],"title":"13.4.8. Code injection attacks"},{"refs":[{"id":"ref-for-rp-id\u2464\u2466"},{"id":"ref-for-rp-id\u2464\u2467"},{"id":"ref-for-rp-id\u2464\u2468"},{"id":"ref-for-rp-id\u2465\u24ea"},{"id":"ref-for-rp-id\u2465\u2460"}],"title":"13.4.9. Validating the origin of a credential"}],"url":"#rp-id"}, "scope": {"dfnID":"scope","dfnText":"scope","external":false,"refSections":[{"refs":[{"id":"ref-for-scope\u2461"},{"id":"ref-for-scope\u2462"},{"id":"ref-for-scope\u2463"}],"title":"1. Introduction"},{"refs":[{"id":"ref-for-scope\u2464"},{"id":"ref-for-scope\u2465"}],"title":"4. Terminology"},{"refs":[{"id":"ref-for-scope\u2466"},{"id":"ref-for-scope\u2467"}],"title":"5. Web Authentication API"},{"refs":[{"id":"ref-for-scope\u2468"}],"title":"5.1.4.2. Issuing a Credential Request to an Authenticator"},{"refs":[{"id":"ref-for-scope\u2460\u24ea"}],"title":"5.4. Options for Credential Creation (dictionary PublicKeyCredentialCreationOptions)"},{"refs":[{"id":"ref-for-scope\u2460\u2460"}],"title":"5.4.1. Public Key Entity Description (dictionary PublicKeyCredentialEntity)"},{"refs":[{"id":"ref-for-scope\u2460\u2461"},{"id":"ref-for-scope\u2460\u2462"}],"title":"5.5. Options for Assertion Generation (dictionary PublicKeyCredentialRequestOptions)"},{"refs":[{"id":"ref-for-scope\u2460\u2463"},{"id":"ref-for-scope\u2460\u2464"}],"title":"6.1. Authenticator Data"},{"refs":[{"id":"ref-for-scope\u2460\u2465"}],"title":"8.4. Android Key Attestation Statement Format"},{"refs":[{"id":"ref-for-scope\u2460\u2466"}],"title":"8.6. FIDO U2F Attestation Statement Format"},{"refs":[{"id":"ref-for-scope\u2460\u2467"},{"id":"ref-for-scope\u2460\u2468"}],"title":"10.1.1. FIDO AppID Extension (appid)"},{"refs":[{"id":"ref-for-scope\u2461\u24ea"},{"id":"ref-for-scope\u2461\u2460"},{"id":"ref-for-scope\u2461\u2461"}],"title":"13.2. Physical Proximity between Client and Authenticator"},{"refs":[{"id":"ref-for-scope\u2461\u2462"}],"title":"13.4.4. Attestation Limitations"},{"refs":[{"id":"ref-for-scope\u2461\u2463"},{"id":"ref-for-scope\u2461\u2464"},{"id":"ref-for-scope\u2461\u2465"},{"id":"ref-for-scope\u2461\u2466"},{"id":"ref-for-scope\u2461\u2467"}],"title":"13.4.8. Code injection attacks"},{"refs":[{"id":"ref-for-scope\u2461\u2468"},{"id":"ref-for-scope\u2462\u24ea"}],"title":"13.4.9. Validating the origin of a credential"},{"refs":[{"id":"ref-for-scope\u2462\u2460"}],"title":"14.2. Anonymous, Scoped, Non-correlatable Public Key Credentials"}],"url":"#scope"}, "second-factor-platform-authenticator": {"dfnID":"second-factor-platform-authenticator","dfnText":"Second-factor platform authenticator","external":false,"refSections":[{"refs":[{"id":"ref-for-second-factor-platform-authenticator"}],"title":"6.2. Authenticator Taxonomy"}],"url":"#second-factor-platform-authenticator"}, "second-factor-roaming-authenticator": {"dfnID":"second-factor-roaming-authenticator","dfnText":"Second-factor roaming authenticator","external":false,"refSections":[{"refs":[{"id":"ref-for-second-factor-roaming-authenticator"}],"title":"6.2. Authenticator Taxonomy"}],"url":"#second-factor-roaming-authenticator"},