From 26ae8150418cbfc2b9c48042d9607d8bf4b6d64a Mon Sep 17 00:00:00 2001 From: Emil Lundberg Date: Wed, 13 Nov 2024 13:50:43 +0100 Subject: [PATCH 1/4] Delete authenticatorDisplayName --- index.bs | 64 +++++--------------------------------------------------- 1 file changed, 5 insertions(+), 59 deletions(-) diff --git a/index.bs b/index.bs index 32c64aa81..60577cb7d 100644 --- a/index.bs +++ b/index.bs @@ -1182,17 +1182,6 @@ BCP 14 [[!RFC2119]] [[!RFC8174]] when, and only when, they appear in all capital when the [=public key credential source=] was [=registration|registered=]. Storing this in combination with the above [$credential record/attestationObject$] [=struct/item=] enables the [=[RP]=] to re-verify the [=attestation signature=] at a later time. - - : authenticatorDisplayName - :: A [=human-palatable=] description of the [=public key credential source=]. - - If used, the [=[RP]=] SHOULD use this to describe the [=credential record=] in the user's account settings. - The [=[RP]=] SHOULD allow the user to choose this value, and MAY allow the user to modify it at will. - - The [=credProps|Credential Properties Extension=] defines the [=credential property=] - {{CredentialPropertiesOutput/authenticatorDisplayName}} - which, when available, MAY be offered as a default for this value. - The [=[RP]=] MAY alternatively derive a default value from the authenticator's [=attestation statement=], if any. [=WebAuthn extensions=] MAY define additional [=struct/items=] needed to process the extension. @@ -6070,15 +6059,12 @@ a numbered step. If outdented, it (today) is rendered as a bullet in the midst o : [$credential record/attestationClientDataJSON$] :: |response|.{{AuthenticatorResponse/clientDataJSON}}. - - : [$credential record/authenticatorDisplayName$] - :: A [=human-palatable=] description of the [=public key credential source=]. - This SHOULD be chosen by the user. - - If |clientExtensionResults|.{{AuthenticationExtensionsClientOutputs/credProps}}.{{CredentialPropertiesOutput/authenticatorDisplayName}} is present, - then its value MAY be offered as a default for this value. - The [=[RP]=] MAY alternatively derive a default value from the authenticator's [=attestation statement=], if any. + + The [=[RP]=] MAY also include any additional [=struct/items=] as necessary. + As a non-normative example, the [=[RP]=] might allow the user to set a "nickname" for the credential + to help the user remember which [=credential=] is [=bound credential|bound=] to which [=authenticator=] + when interacting with account settings. @@ -6269,11 +6255,6 @@ a numbered step. If outdented, it (today) is rendered as a bullet in the midst o update it to the value of the [=authData/flags/UV=] bit in the [=flags=] in |authData|. This change SHOULD require authorization by an additional [=authentication factor=] equivalent to WebAuthn [=user verification=]; if not authorized, skip this step. - 1. If |credentialRecord|.[$credential record/authenticatorDisplayName$] is used, - and |clientExtensionResults|.{{AuthenticationExtensionsClientOutputs/credProps}}.{{CredentialPropertiesOutput/authenticatorDisplayName}} - is present and not equal to |credentialRecord|.[$credential record/authenticatorDisplayName$], - then OPTIONALLY offer the user to update |credentialRecord|.[$credential record/authenticatorDisplayName$] - to the value of |clientExtensionResults|.{{AuthenticationExtensionsClientOutputs/credProps}}.{{CredentialPropertiesOutput/authenticatorDisplayName}}. If the [=[RP]=] performs additional security checks beyond these WebAuthn [=authentication ceremony=] steps, the above state updates SHOULD be deferred to after those additional checks are completed successfully. @@ -7382,14 +7363,11 @@ This [=client extension|client=] [=registration extension=] and [=authentication 1. Set {{CredentialPropertiesOutput/rk}} to the value of the |requireResidentKey| parameter that was used in the invocation of the [=authenticatorMakeCredential=] operation. - 1. Set {{CredentialPropertiesOutput/authenticatorDisplayName}} as described in its definition, using some client-specific procedure. - If no suitable value is found, let {{CredentialPropertiesOutput/authenticatorDisplayName}} be undefined. : Client extension output :: dictionary CredentialPropertiesOutput { boolean rk; - DOMString authenticatorDisplayName; }; partial dictionary AuthenticationExtensionsClientOutputs { @@ -7407,38 +7385,6 @@ This [=client extension|client=] [=registration extension=] and [=authentication If {{rk}} is not present, it is not known whether the credential is a [=discoverable credential=] or a [=server-side credential=]. Note: some [=authenticators=] create [=discoverable credentials=] even when not requested by the [=client platform=]. Because of this, [=client platforms=] may be forced to omit the {{rk}} property because they lack the assurance to be able to set it to [FALSE]. [=[RPS]=] should assume that, if the `credProps` extension is supported, then [=client platforms=] will endeavour to populate the {{rk}} property. Therefore a missing {{rk}} indicates that the created credential is most likely a [=non-discoverable credential=]. - - : <dfn>authenticatorDisplayName</dfn> - :: This OPTIONAL property is a [=human-palatable=] description of the credential's [=managing authenticator=], - chosen by the user. - - The [=client=] MUST allow the user to choose this value. - That choice MAY be presented during the [=registration ceremony|registration=] or - [=authentication ceremony|authentication=] ceremony or MAY be made available outside - the ceremony, for example in client settings. The [=client=] MAY reuse the same value - for multiple credentials with the same [=managing authenticator=] across multiple - [=[RPS]=]. - - The [=client=] MAY query the [=authenticator=], by some unspecified mechanism, for this - value. The [=authenticator=] MAY allow the user to configure the response to such a - query. The [=authenticator=] vendor MAY provide a default response to such a query. - The [=client=] MAY consider a user-configured response chosen by the user, - and SHOULD allow the user to modify a vendor-provided default response. - - If the [=[RP]=] includes an <code>[$credential record/authenticatorDisplayName$]</code> - [=struct/item=] in its [=credential records=], - the [=[RP]=] MAY offer this {{authenticatorDisplayName}} extension output, - if present, as a default value for the - <code>[$credential record/authenticatorDisplayName$]</code> of the new - [=credential record=] it stores after a [=registration ceremony=]. - - If the {{authenticatorDisplayName}} extension output from an [=authentication ceremony=] - is different from the <code>[$credential record/authenticatorDisplayName$]</code> of the - [=credential record=], - the [=[RP]=] MAY offer the user to update the - <code>[$credential record/authenticatorDisplayName$]</code> of the - [=credential record=]. - </div> From 1ef1781f943af27deb2491180e0ab5e3d3c09eb4 Mon Sep 17 00:00:00 2001 From: Emil Lundberg <emil@yubico.com> Date: Wed, 13 Nov 2024 19:52:09 +0100 Subject: [PATCH 2/4] Revert extending credProps to apply to authentication ceremonies This reverts commits 76e88e1d80947284a422894fe81d686f478ed67b and 2472df637429f96be24dcb361df087c1cbaa50bb. --- index.bs | 15 ++++++++------- 1 file changed, 8 insertions(+), 7 deletions(-) diff --git a/index.bs b/index.bs index 60577cb7d..e99d30487 100644 --- a/index.bs +++ b/index.bs @@ -7342,13 +7342,13 @@ During a transition from the FIDO U2F JavaScript API, a [=[RP]=] may have a popu ### Credential Properties Extension (<dfn>credProps</dfn>) ### {#sctn-authenticator-credential-properties-extension} -This [=client extension|client=] [=registration extension=] and [=authentication extension=] facilitates reporting certain [=credential properties=] known by the [=client=] to the requesting [=[WRP]=] upon creation or use of a [=public key credential source=]. +This [=client extension|client=] [=registration extension=] facilitates reporting certain [=credential properties=] known by the [=client=] to the requesting [=[WRP]=] upon creation of a [=public key credential source=] as a result of a [=registration ceremony=]. : Extension identifier :: `credProps` : Operation applicability -:: [=registration extension|Registration=] and [=authentication extension|authentication=] +:: [=registration extension|Registration=] : Client extension input :: The Boolean value [TRUE] to indicate that this extension is requested by the [=[RP]=]. @@ -7359,13 +7359,14 @@ This [=client extension|client=] [=registration extension=] and [=authentication : Client extension processing -:: 1. If processed during a [=registration ceremony=]: - 1. Set {{CredentialPropertiesOutput/rk}} to the value of the |requireResidentKey| parameter that was used in the - invocation of the [=authenticatorMakeCredential=] - operation. +:: Set {{CredentialPropertiesOutput/rk}} to the value of the |requireResidentKey| parameter that was used in the + invocation of the [=authenticatorMakeCredential=] + operation. : Client extension output -:: +:: [=map/Set=] <code>[=credentialCreationData/clientExtensionResults=]["{{AuthenticationExtensionsClientOutputs/credProps}}"]["rk"]</code> to the value of the |requireResidentKey| parameter that was used in the <a href='#CreateCred-InvokeAuthnrMakeCred'>invocation</a> of the [=authenticatorMakeCredential=] operation. + + <xmp class="idl"> dictionary CredentialPropertiesOutput { boolean rk; }; From 9ac5dad2ef0b3cf8cac29b06996a257b0c6b78a6 Mon Sep 17 00:00:00 2001 From: Emil Lundberg <emil@yubico.com> Date: Wed, 13 Nov 2024 19:53:25 +0100 Subject: [PATCH 3/4] Restore note that only one credential property is defined --- index.bs | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/index.bs b/index.bs index e99d30487..9f86129a0 100644 --- a/index.bs +++ b/index.bs @@ -7344,6 +7344,10 @@ During a transition from the FIDO U2F JavaScript API, a [=[RP]=] may have a popu This [=client extension|client=] [=registration extension=] facilitates reporting certain [=credential properties=] known by the [=client=] to the requesting [=[WRP]=] upon creation of a [=public key credential source=] as a result of a [=registration ceremony=]. +At this time, one [=credential property=] is defined: the [=resident key credential property=] +(i.e., [=client-side discoverable credential property=]). + + : Extension identifier :: `credProps` From 92ccb542574e532ad33a4d2e0913224599b91251 Mon Sep 17 00:00:00 2001 From: Emil Lundberg <emil@yubico.com> Date: Wed, 13 Nov 2024 19:58:01 +0100 Subject: [PATCH 4/4] Fix undefined reference to client-side discoverable credential property --- index.bs | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/index.bs b/index.bs index 9f86129a0..655b300da 100644 --- a/index.bs +++ b/index.bs @@ -7344,8 +7344,7 @@ During a transition from the FIDO U2F JavaScript API, a [=[RP]=] may have a popu This [=client extension|client=] [=registration extension=] facilitates reporting certain [=credential properties=] known by the [=client=] to the requesting [=[WRP]=] upon creation of a [=public key credential source=] as a result of a [=registration ceremony=]. -At this time, one [=credential property=] is defined: the [=resident key credential property=] -(i.e., [=client-side discoverable credential property=]). +At this time, one [=credential property=] is defined: the [=client-side discoverable credential property=]. : Extension identifier @@ -7382,7 +7381,8 @@ At this time, one [=credential property=] is defined: the [=resident key credent <div dfn-type="dict-member" dfn-for="CredentialPropertiesOutput"> : <dfn>rk</dfn> - :: This OPTIONAL property, known abstractly as the <dfn dfn-type="dfn">resident key credential property</dfn>, + :: This OPTIONAL property, known abstractly as the <dfn dfn-type="dfn">client-side discoverable credential property</dfn> + or as the <dfn dfn-type="dfn">resident key credential property</dfn>, is a Boolean value indicating whether the {{PublicKeyCredential}} returned as a result of a [=registration ceremony=] is a [=client-side discoverable credential=]. If {{rk}} is [TRUE], the credential is a [=discoverable credential=].