From 2ccb9f820fe7fbb2c9dbf942a3013a93ef06596b Mon Sep 17 00:00:00 2001 From: Emil Lundberg Date: Thu, 22 Sep 2022 21:29:13 +0200 Subject: [PATCH] Change definition type of credential record items to abstract-op This will help avoid conflicts with existing definitions, including [=scope=], as we introduce a struct for devicePubKey records as well. --- index.bs | 50 +++++++++++++++++++++++++------------------------- 1 file changed, 25 insertions(+), 25 deletions(-) diff --git a/index.bs b/index.bs index d160e406a..83ec816f1 100644 --- a/index.bs +++ b/index.bs @@ -1127,7 +1127,7 @@ The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "S The following [=struct/items=] are RECOMMENDED in order to implement all steps of [[#sctn-registering-a-new-credential]] and [[#sctn-verifying-assertion]] as defined: -
+
: type :: The [=public key credential source/type=] of the [=public key credential source=]. @@ -1158,7 +1158,7 @@ The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "S The following [=struct/items=] are OPTIONAL: -
+
: attestationObject :: The value of the {{AuthenticatorAttestationResponse/attestationObject}} attribute when the [=public key credential source=] was [=registration|registered=]. @@ -1167,7 +1167,7 @@ The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "S : attestationClientDataJSON :: The value of the {{AuthenticatorResponse/clientDataJSON}} attribute when the [=public key credential source=] was [=registration|registered=]. - Storing this in combination with the above [=credential record/attestationObject=] [=struct/item=] + Storing this in combination with the above [$credential record/attestationObject$] [=struct/item=] enables the [=[RP]=] to re-verify the [=attestation signature=] at a later time.
@@ -1178,13 +1178,13 @@ The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "S The credential descriptor for a credential record is a {{PublicKeyCredentialDescriptor}} value with the contents: : {{PublicKeyCredentialDescriptor/type}} - :: The [=credential record/type=] of the [=credential record=]. + :: The [$credential record/type$] of the [=credential record=]. : {{PublicKeyCredentialDescriptor/id}} - :: The [=credential record/id=] of the [=credential record=]. + :: The [$credential record/id$] of the [=credential record=]. : {{PublicKeyCredentialDescriptor/transports}} - :: The [=credential record/transports=] of the [=credential record=]. + :: The [$credential record/transports$] of the [=credential record=]. : Generating Authenticator @@ -5157,36 +5157,36 @@ In order to perform a [=registration ceremony=], the [=[RP]=] MUST proceed as fo with the following contents:
- : [=credential record/type=] + : [$credential record/type$] :: |credential|.{{Credential/type}}. - : [=credential record/id=] + : [$credential record/id$] :: |credential|.{{Credential/id}} or |credential|.{{PublicKeyCredential/rawId}}, whichever format is preferred by the [=[RP]=]. - : [=credential record/publicKey=] + : [$credential record/publicKey$] :: The [=credential public key=] in |authData|. - : [=credential record/signCount=] + : [$credential record/signCount$] :: |authData|.[=authData/signCount=]. - : [=credential record/transports=] + : [$credential record/transports$] :: The value returned from |response|.{{AuthenticatorAttestationResponse/getTransports()}}. - : [=credential record/BE=] + : [$credential record/BE$] :: The value of the [=authData/flags/BE=] [=flag=] in |authData|. - : [=credential record/BS=] + : [$credential record/BS$] :: The value of the [=authData/flags/BS=] [=flag=] in |authData|.
The new [=credential record=] MAY also include the following OPTIONAL contents:
- : [=credential record/attestationObject=] + : [$credential record/attestationObject$] :: |response|.{{AuthenticatorAttestationResponse/attestationObject}}. - : [=credential record/attestationClientDataJSON=] + : [$credential record/attestationClientDataJSON$] :: |response|.{{AuthenticatorResponse/clientDataJSON}}.
@@ -5232,7 +5232,7 @@ In order to perform an [=authentication ceremony=], the [=[RP]=] MUST proceed as
: If the user was identified before the [=authentication ceremony=] was initiated, e.g., via a username or cookie, :: verify that the identified [=user account=] contains a [=credential record=] - whose [=credential record/id=] equals |credential|.{{PublicKeyCredential/rawId}}. + whose [$credential record/id$] equals |credential|.{{PublicKeyCredential/rawId}}. Let |credentialRecord| be that [=credential record=]. If |response|.{{AuthenticatorAssertionResponse/userHandle}} is present, verify that it equals the [=user handle=] of the [=user account=]. @@ -5240,7 +5240,7 @@ In order to perform an [=authentication ceremony=], the [=[RP]=] MUST proceed as : If the user was not identified before the [=authentication ceremony=] was initiated, :: verify that |response|.{{AuthenticatorAssertionResponse/userHandle}} is present. Verify that the [=user account=] identified by |response|.{{AuthenticatorAssertionResponse/userHandle}} - contains a [=credential record=] whose [=credential record/id=] equals |credential|.{{PublicKeyCredential/rawId}}. + contains a [=credential record=] whose [$credential record/id$] equals |credential|.{{PublicKeyCredential/rawId}}. Let |credentialRecord| be that [=credential record=].
@@ -5289,9 +5289,9 @@ a numbered step. If outdented, it (today) is rendered as a bullet in the midst o let |currentBe| and |currentBs| be the values of the [=authData/flags/BE=] and [=authData/flags/BS=] bits, respectively, of the [=flags=] in |authData|. Compare |currentBe| and |currentBs| with - |credentialRecord|.[=credential record/BE=] and |credentialRecord|.[=credential record/BS=] + |credentialRecord|.[$credential record/BE$] and |credentialRecord|.[$credential record/BS$] and apply [=[RP]=] policy, if any, - and then update |credentialRecord|.[=credential record/BS=] to the value of |currentBs|. + and then update |credentialRecord|.[$credential record/BS$] to the value of |currentBs|. Note: See [[#sctn-credential-backup]] for examples of how a [=[RP]=] might process the [=authData/flags/BS=] [=flag=] values. @@ -5314,27 +5314,27 @@ a numbered step. If outdented, it (today) is rendered as a bullet in the midst o 1. Let |hash| be the result of computing a hash over the |cData| using SHA-256. -1. Using |credentialRecord|.[=credential record/publicKey=], +1. Using |credentialRecord|.[$credential record/publicKey$], verify that |sig| is a valid signature over the binary concatenation of |authData| and |hash|. Note: This verification step is compatible with signatures generated by FIDO U2F authenticators. See [[#sctn-fido-u2f-sig-format-compat]]. -1. If |authData|.[=authData/signCount=] is nonzero or |credentialRecord|.[=credential record/signCount=] is nonzero, +1. If |authData|.[=authData/signCount=] is nonzero or |credentialRecord|.[$credential record/signCount$] is nonzero, then run the following sub-step: - If |authData|.[=authData/signCount=] is
-
greater than |credentialRecord|.[=credential record/signCount=]:
-
Update |credentialRecord|.[=credential record/signCount=] to be the value of +
greater than |credentialRecord|.[$credential record/signCount$]:
+
Update |credentialRecord|.[$credential record/signCount$] to be the value of |authData|.[=authData/signCount=].
-
less than or equal to |credentialRecord|.[=credential record/signCount=]:
+
less than or equal to |credentialRecord|.[$credential record/signCount$]:
This is a signal that the authenticator may be cloned, i.e. at least two copies of the [=credential private key=] may exist and are being used in parallel. [=[RPS]=] should incorporate this information into their risk scoring. - Whether the [=[RP]=] updates |credentialRecord|.[=credential record/signCount=] + Whether the [=[RP]=] updates |credentialRecord|.[$credential record/signCount$] in this case, or not, or fails the [=authentication ceremony=] or not, is [=[RP]=]-specific.