support uaf credentuial type in authenticatorMakeCredential. See #407

index.bs

@@ -1542,27 +1542,47 @@ When this operation is invoked, the authenticator must perform the following pro
     so, return an error code equivalent to "{{NotAllowedError}}" and terminate the operation.
 - If the |requireResidentKey| flag is set to |true| and the authenticator cannot store a [=Client-side-resident Credential
     Private Key=], return an error code equivalent to "{{ConstraintError}}" and terminate the operation.
-- Prompt the user for consent to create a new credential. The prompt for obtaining this consent is shown by the authenticator
-    if it has its own output capability, or by the user agent otherwise. If the user denies consent, return an error code
-    equivalent to "{{NotAllowedError}}" and terminate the operation.
-- Once user consent has been obtained, generate a new credential object:
-    - Generate a set of cryptographic keys using the most preferred combination of {{PublicKeyCredentialType}} and cryptographic
-        parameters supported by this authenticator.
-    - Generate an identifier for this credential, such that this identifier is globally unique with high probability across all
-        credentials with the same type across all authenticators.
-    - Associate the credential with the specified [=RP ID=] and the user's account identifier
-        {{MakeCredentialOptions/user}}.{{PublicKeyCredentialEntity/id}}.
-    - Delete any older credentials with the same [=RP ID=] and {{MakeCredentialOptions/user}}.{{PublicKeyCredentialEntity/id}}
-        that are stored locally by the [=authenticator=].
-- If any error occurred while creating the new credential object, return an error code equivalent to "{{UnknownError}}" and
-    terminate the operation.
-- Process all the supported extensions requested by the client, and generate the [=authenticator data=] with
-    [=attestation data=] as specified in [[#sec-authenticator-data]]. Use this [=authenticator data=] and the
-    [=hash of the serialized client data=] to create an [=attestation object=] for the new credential using the procedure
-    specified in [[#generating-an-attestation-object]]. For more details on attestation, see [[#sctn-attestation]].
-
-On successful completion of this operation, the authenticator returns the [=attestation object=] to the client.
+- The [=authenticator=] must perform the following procedure depending on the PublicKeyCredentialType of the preferred combination of {{PublicKeyCredentialType}} and cryptographic parameters supported by this authenticator:
+    <dl class="switch">
+    <dt>"public-key"</dt>
+    <dd>
+    - Prompt the user for consent to create a new credential. The prompt for obtaining this consent is shown by the authenticator
+        if it has its own output capability, or by the user agent otherwise. If the user denies consent, return an error code
+        equivalent to "{{NotAllowedError}}" and terminate the operation.
+    - Once user consent has been obtained, generate a new credential object:
+        - Generate a set of cryptographic keys using the most preferred combination of {{PublicKeyCredentialType}} and cryptographic
+            parameters supported by this authenticator.
+        - Generate an identifier for this credential, such that this identifier is globally unique with high probability across all
+            credentials with the same type across all authenticators.
+        - Associate the credential with the specified [=RP ID=] and the user's account identifier
+            {{MakeCredentialOptions/user}}.{{PublicKeyCredentialEntity/id}}.
+        - Delete any older credentials with the same [=RP ID=] and {{MakeCredentialOptions/user}}.{{PublicKeyCredentialEntity/id}}
+            that are stored locally by the [=authenticator=].
+    - If any error occurred while creating the new credential object, return an error code equivalent to "{{UnknownError}}" and
+        terminate the operation.
+    - Process all the supported extensions requested by the client, and generate the [=authenticator data=] with
+        [=attestation data=] as specified in [[#sec-authenticator-data]]. Use this [=authenticator data=] and the
+        [=hash of the serialized client data=] to create an [=attestation object=] for the new credential using the procedure
+        specified in [[#generating-an-attestation-object]]. For more details on attestation, see [[#sctn-attestation]].
+
+    - On successful completion of this operation, the authenticator returns the [=attestation object=] to the client.
+
+    </dd>
+    <dt>"public-key-uaf"</dt>
+    <dd>
 
+    - Follow the procedure as specified in [[FIDO-UAF-Authenticator-Commands]] section 6.2. Using
+        * The caller's RP ID as "AppID"
+        * The [=hash of the serialized client data=] as "Final Challenge Hash".
+        * The {{MakeCredentialOptions/user}}.{{PublicKeyCredentialUserEntity/displayName}} as "Username".
+        * Provide TAG_ATTESTATION_BASIC_FULL (0x3E07) as "Attestation Type".
+        * Provide a "KHAccessToken" as described in section 6.1. in [[FIDO-UAF-ASM]].
+        * Provide no "UserVerificationToken".
+    - On successful completion of this operation, the authenticator returns the registration assertion as [=attestation object=] to the client.
+
+    </dd>
+    </dl>
+
 
 ### The <dfn>authenticatorGetAssertion</dfn> operation ### {#op-get-assertion}
 
@@ -1583,14 +1603,15 @@ of the PublicKeyCredentialType of any related [=credential=]):
     determined by an exact match of the [=RP ID=]).
 - If the previous step resulted in an empty list, return an error code equivalent to "{{NotAllowedError}}" and terminate the
     operation.
-- Prompt the user to select a [=public key credential|credential=] from among the above list. Obtain [=user consent=] for using
-    this [=public key credential|credential=]. The prompt for obtaining this [=user consent|consent=] may be shown by the
-    [=authenticator=] if it has its own output capability, or by the user agent otherwise.
+- Prompt the user to select a [=public key credential|credential=] from among the above list. 
 
 - The [=authenticator=] must perform the following procedure depending on the PublicKeyCredentialType of the [=credential=]:
     <dl class="switch">
     <dt>"public-key"</dt>
     <dd>
+    - Obtain [=user consent=] for using
+        this [=public key credential|credential=]. The prompt for obtaining this [=user consent|consent=] may be shown by the
+        [=authenticator=] if it has its own output capability, or by the user agent otherwise.
     - Process all the supported extensions requested by the client, and generate the [=authenticator data=] as specified in 
         [[#sec-authenticator-data]], though without [=attestation data=]. Concatenate this [=authenticator data=] with the [=hash of
         the serialized client data=] to generate an [=assertion signature=] using the [=credential private key|private key=] of the