added (only) keyProtection to AuthenticatorSelectionCriteria

w3c · May 29, 2017 · 323f528 · 323f528
1 parent 72f82e9
commit 323f528
Showing 1 changed file with 43 additions and 11 deletions.
diff --git a/index.bs b/index.bs
@@ -1055,9 +1055,7 @@ associated.
     dictionary AuthenticatorSelectionCriteria {
         Attachment        attachment;
         boolean           requireResidentKey = false;
-        sequence<AAGUID>  aaguidList;
         KeyProtection     keyProtection;
-        MatcherProtection matcherProtection;
     };
 </xmp>
 
@@ -1071,19 +1069,10 @@ associated.
         Private Key=]. If the parameter is set to true, the authenticator MUST create a 
         [=Client-side-resident Credential Private Key=] when creating a [=public key credential=].
 
-    :   <dfn>aaguidList</dfn>
-    ::  If this member is [=present|present=], eligible authenticators are filtered to the ones identified by matching
-        one AAGUID entry [[#aaguid]] included in the list.  Each AAGUID entry corresponds to an authenticator model that is 
-        acceptable to the [RP] for this credential creation. The list is ordered by decreasing preference.
-
     : <dfn>keyProtection</dfn>
     ::  If this member is [=present|present=], eligible authenticators are filtered to the ones identified by matching
         the keyProtection method as indicated.
 
-    : <dfn>matcherProtection</dfn>
-    ::  If this member is [=present|present=], eligible authenticators are filtered to the ones identified by matching
-        the matcherProtection method as indicated.
-
 </div>
 
 ### AAGUID (typedef <dfn>AAGUID</dfn>) ### {#aaguid}
@@ -2781,6 +2770,49 @@ as well. This allows authenticators without a font rendering engine to be used a
     signature itself.
 
 
+## Authenticator Selection Extension (authnSel) ## {#sctn-authenticator-selection-extension}
+
+This [=registration extension=] allows a [=[RP]=] to guide the selection of the authenticator that will be leveraged when creating
+the credential. It is intended primarily for [=[RPS]=] that wish to tightly control the experience around credential creation.
+
+: Extension identifier
+:: `authnSel`
+
+: Client extension input
+:: A sequence of AAGUIDs:
+
+    <xmp class="idl">
+        typedef sequence<AAGUID> AuthenticatorSelectionList;
+    </xmp>
+
+    Each AAGUID corresponds to an authenticator model that is acceptable to the [=[RP]=] for this credential creation. The
+    list is ordered by decreasing preference.
+
+    An AAGUID is defined as an array containing the globally unique identifier of the authenticator model being sought.
+
+    <pre class="idl">
+        typedef BufferSource AAGUID;
+    </pre>
+
+: Client extension processing
+:: This extension can only be used during {{CredentialsContainer/create()}}. If the client supports the Authenticator Selection
+    Extension, it MUST use the first available authenticator whose AAGUID is present in the {{AuthenticatorSelectionList}}. If
+    none of the available authenticators match a provided AAGUID, the client MUST select an authenticator from among the
+    available authenticators to generate the credential.
+
+: Client extension output
+:: Returns the JSON value `true` to indicate to the RP that the extension was acted upon
+
+: Authenticator extension input
+:: None.
+
+: Authenticator extension processing
+:: None.
+
+: Authenticator extension output
+:: None.
+
+
 ## Supported Extensions Extension (exts) ## {#sctn-supported-extensions-extension}
 
 This [=registration extension=] enables the [=[RP]=] to determine which extensions the authenticator supports.