Skip to content

Commit

Permalink
addressing jyasskin's feedback -- thanks!
Browse files Browse the repository at this point in the history
  • Loading branch information
JeffH authored and JeffH committed May 25, 2017
1 parent 90526f3 commit 5a8970e
Showing 1 changed file with 47 additions and 44 deletions.
91 changes: 47 additions & 44 deletions index.bs
View file
Original file line number Diff line number Diff line change
Expand Up @@ -291,7 +291,7 @@ The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "S
:: A [=Client-side-resident Credential Private Key=] is stored either on the client platform, or in some cases on the
authenticator itself, e.g., in the case of a discrete first-factor roaming authenticator. Such <dfn>client-side credential
private key storage</dfn> has the property that the authenticator is able to select the [=credential private key=] given
only an RP ID, possibly with user assistance (e.g., by providing the user a pick list of credentials associated with the RP
only an [=RP ID=], possibly with user assistance (e.g., by providing the user a pick list of credentials associated with the RP
ID). By definition, the private key is always exclusively controlled by the Authenticator. In the case of a
[=Client-side-resident Credential Private Key=], the Authenticator might offload storage of wrapped key material to the
client platform, but the client platform is not expected to offload the key storage to remote entities (e.g. RP Server).
Expand Down Expand Up @@ -322,18 +322,17 @@ The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "S
: <dfn>Relying Party Identifier</dfn>
: <dfn>RP ID</dfn>
:: A [=domain=] identifier for the [=[RP]=] on whose behalf a given [=registration=] or
[=authentication|authentication ceremony=] is being performed. A [=RP ID=] MUST be a [=valid domain string=]. A [=public key
credential=] can only be used for [=authentication=] with the same entity (as identified by [=RP ID=]) it was registered
with. By default, the [=RP ID=] for a WebAuthn operation is set to the {{CredentialsContainer}} object's [=relevant settings
object=]'s [=environment settings object/origin=]'s [=effective domain=], i.e., the caller's [=environment settings
object/origin=]'s [=effective domain=]. This default MAY be overridden by the caller, as long as the caller-specified [=RP
ID=] value [=is a registrable domain suffix of or is equal to=] the caller's [=environment settings object/origin=]'s
[=effective domain=]. See also [[#createCredential]] and [[#getAssertion]].
[=authentication|authentication ceremony=] is being performed. An [=RP ID=] MUST be a [=valid domain string=]. A [=public
key credential=] can only be used for [=authentication=] with the same entity (as identified by [=RP ID=]) it was registered
with. By default, the [=RP ID=] for a WebAuthn operation is set to the caller's [=environment settings object/origin=]'s
[=effective domain=]. This default MAY be overridden by the caller, as long as the caller-specified [=RP ID=] value [=is a
registrable domain suffix of or is equal to=] the caller's [=environment settings object/origin=]'s [=effective domain=].
See also [[#createCredential]] and [[#getAssertion]].

<div class="note">
Note: [=Public key credential=]'s scope is for an [=[RP]=]'s [=origin=], with the following <em>restrictions</em> and
Note: [=Public key credential=]'s scope is for a [=[RP]=]'s [=origin=], with the following <em>restrictions</em> and
<em>relaxations</em>:
- the scheme MUST be `https` (i.e., <em>a restriction</em>), and,
- The scheme MUST be `https` (i.e., <em>a restriction</em>), and,
- the host MAY be equal to the [=[RP]=]'s [=origin=]'s [=effective domain=], or it MAY be equal to a registrable
domain suffix of the [=[RP]=]'s [=origin=]'s [=effective domain=] (i.e., <em>an available relaxation</em>), and,
- all (TCP) ports on that host (i.e., <em>a relaxation</em>).
Expand Down Expand Up @@ -412,8 +411,8 @@ Identifier=], or [=RP ID=]. This [=RP ID=] is provided by the client to the [=au
requested by the same [=RP ID=]. Separating the [=origin=] from the [=RP ID=] in this way allows the API to be used in cases
where a single [=[RP]=] maintains multiple [=origins=].

The client facilitates these security measures by providing correct [=origins=] and [=RP IDs=] to the [=authenticator=] for each
operation. Since this is an integral part of the WebAuthn security model, user agents MUST only expose this API to callers in
The client facilitates these security measures by providing the [=[RP]=]'s [=origin=] and [=RP ID=] to the [=authenticator=] for
each operation. Since this is an integral part of the WebAuthn security model, user agents only expose this API to callers in
[=secure contexts=].

The Web Authentication API is defined by the union of the Web IDL fragments presented in the following sections. A combined IDL
Expand Down Expand Up @@ -550,20 +549,24 @@ When this method is invoked, the user agent MUST execute the following algorithm
Note: An [=effective domain=] MUST be a [=valid domain=]. Formats other than [=domain=] -- i.e., [=ipv4 address=],
[=ipv6 address=], [=opaque host=], or [=empty host=] -- are disallowed.
-->
1. If |options|.{{MakeCredentialOptions/rp}}.{{PublicKeyCredentialEntity/id}} is [=present|not present=], then set
|rpId| to |effectiveDomain|.

Otherwise:

1. If |options|.{{MakeCredentialOptions/rp}}.{{PublicKeyCredentialEntity/id}} [=is not a registrable domain suffix of and is
not equal to=] |effectiveDomain|, return a {{DOMException}} whose name is "{{SecurityError}}", and terminate this
algorithm.
1. Set |rpId| to |options|.{{MakeCredentialOptions/rp}}.{{PublicKeyCredentialEntity/id}}.

Note: |rpId| represents the caller's [=RP ID=]. The [=RP ID=] defaults to being the caller's [=environment settings
object/origin=]'s [=effective domain=] unless the caller has explicitly set
|options|.{{MakeCredentialOptions/rp}}.{{PublicKeyCredentialEntity/id}} when calling {{CredentialsContainer/create()}}.

<!-- Note: this next step is actually a top-level step, but bikeshed wanted it indented this much in order to compile w/o errors
-->
<li id='CreateCred-DetermineRpId'>
If |options|.{{MakeCredentialOptions/rp}}.{{PublicKeyCredentialEntity/id}} is [=present|not present=], then set
|rpId| to |effectiveDomain|.

Otherwise:

1. If |options|.{{MakeCredentialOptions/rp}}.{{PublicKeyCredentialEntity/id}} [=is not a registrable domain suffix of and is
not equal to=] |effectiveDomain|, return a {{DOMException}} whose name is "{{SecurityError}}", and terminate this
algorithm.
1. Set |rpId| to |options|.{{MakeCredentialOptions/rp}}.{{PublicKeyCredentialEntity/id}}.

Note: |rpId| represents the caller's [=RP ID=]. The [=RP ID=] defaults to being the caller's [=environment settings
object/origin=]'s [=effective domain=] unless the caller has explicitly set
|options|.{{MakeCredentialOptions/rp}}.{{PublicKeyCredentialEntity/id}} when calling {{CredentialsContainer/create()}}.
</li>
1. Let |normalizedParameters| be a new [=list=] whose [=list/items=] are pairs of {{PublicKeyCredentialType}} and a
[=dictionary=] type (as returned by [=normalizing an algorithm=]).

Expand Down Expand Up @@ -747,18 +750,20 @@ When this method is invoked, the user agent MUST execute the following algorithm
Note: An [=effective domain=] MUST be a [=valid domain=]. Formats other than [=domain=] -- i.e., [=ipv4 address=],
[=ipv6 address=], [=opaque host=], or [=empty host=] -- are disallowed.
-->
1. If |options|.{{PublicKeyCredentialRequestOptions/rpId}} is [=present|not present=], then set |rpId| to |effectiveDomain|.

Otherwise:

1. If |options|.{{PublicKeyCredentialRequestOptions/rpId}} [=is not a registrable domain suffix of and is not equal to=]
|effectiveDomain|, return a {{DOMException}} whose name is "{{SecurityError}}", and terminate this algorithm.
1. Set |rpId| to |options|.{{PublicKeyCredentialRequestOptions/rpId}}.

Note: |rpId| represents the caller's [=RP ID=]. The [=RP ID=] defaults to being the caller's [=environment settings
object/origin=]'s [=effective domain=] unless the caller has explicitly set
|options|.{{PublicKeyCredentialRequestOptions/rpId}} when calling {{CredentialsContainer/get()}}.

<li id='GetAssn-DetermineRpId'>
If |options|.{{PublicKeyCredentialRequestOptions/rpId}} is [=present|not present=], then set |rpId| to |effectiveDomain|.

Otherwise:

1. If |options|.{{PublicKeyCredentialRequestOptions/rpId}} [=is not a registrable domain suffix of and is not equal to=]
|effectiveDomain|, return a {{DOMException}} whose name is "{{SecurityError}}", and terminate this algorithm.
1. Set |rpId| to |options|.{{PublicKeyCredentialRequestOptions/rpId}}.

Note: |rpId| represents the caller's [=RP ID=]. The [=RP ID=] defaults to being the caller's [=environment settings
object/origin=]'s [=effective domain=] unless the caller has explicitly set
|options|.{{PublicKeyCredentialRequestOptions/rpId}} when calling {{CredentialsContainer/get()}}.
</li>
1. Let |clientExtensions| be a new [=map=] and let |authenticatorExtensions| be a new [=map=].

1. If the {{PublicKeyCredentialRequestOptions/extensions}} member of |options| is [=present=], then [=map/for each=]
Expand Down Expand Up @@ -1058,7 +1063,7 @@ associated.
</xmp>
<div dfn-type="dict-member" dfn-for="PublicKeyCredentialEntity">
: <dfn>id</dfn>
:: A unique identifier for the entity. For a [=relying party=] entity, this will be the [=RP ID=]. For a user account
:: A unique identifier for the entity. For a [=relying party=] entity, sets the [=RP ID=]. For a user account
entity, this will be an arbitrary string specified by the [=relying party=].

: <dfn>name</dfn>
Expand Down Expand Up @@ -1461,7 +1466,7 @@ The `TUP` flag SHALL be set if and only if the authenticator detected a user thr
For attestation signatures, the authenticator MUST set the AT flag and include the [=attestation data=]. For authentication
signatures, the AT flag MUST NOT be set and the [=attestation data=] MUST NOT be included.

If the authenticator does not include any extension data, it MUST set the `ED` flag to zero; it is set to one if
If the authenticator does not include any extension data, it MUST set the `ED` flag to zero, and to one if
extension data is included.

The [figure below](#fig-authData) shows a visual representation of the [=authenticator data=] structure.
Expand Down Expand Up @@ -1490,15 +1495,14 @@ The following operations can be invoked by the client in an authenticator sessio
This operation must be invoked in an authenticator session which has no other operations in progress. It takes the following
input parameters:

- The caller's [=RP ID=], as optionally decared by the [=[RP]=] and vetted by the user agent and the client, or defaulted to the
caller's [=environment settings object/origin=]'s [=effective domain=], c.f., [[#createCredential]].
- The caller's [=RP ID=], as <a href='#CreateCred-DetermineRpId'>determined</a> by the user agent and the client.
- The [=hash of the serialized client data=], provided by the client.
- The [=[RP]=]'s {{PublicKeyCredentialEntity}}.
- The user account's {{PublicKeyCredentialUserEntity}}.
- The {{PublicKeyCredentialType}} and cryptographic parameters requested by the [=[RP]=], with the cryptographic algorithms
normalized as per the procedure in [[WebCryptoAPI#algorithm-normalization-normalize-an-algorithm]].
- An optional list of {{PublicKeyCredential}} objects provided by the [=[RP]=] with the intention that, if any of these are
known to the authenticator, it should not create a new credential.
- An optional list of {{PublicKeyCredentialDescriptor}} objects provided by the [=[RP]=] with the intention that, if any of
these are known to the authenticator, it should not create a new credential.
- Extension data created by the client based on the extensions requested by the [=[RP]=], if any.
- The |requireResidentKey| parameter of the |options|.{{MakeCredentialOptions/authenticatorSelection}} dictionary.

Expand Down Expand Up @@ -1538,8 +1542,7 @@ On successful completion of this operation, the authenticator returns the [=atte
This operation must be invoked in an authenticator session which has no other operations in progress. It takes the following
input parameters:

- The caller's [=RP ID=], as optionally decared by the [=[RP]=] and vetted by the user agent and the client, or defaulted to the
caller's [=environment settings object/origin=]'s [=effective domain=], c.f., [[#getAssertion]].
- The caller's [=RP ID=], as <a href='#GetAssn-DetermineRpId'>determined</a> by the user agent and the client.
- The [=hash of the serialized client data=], provided by the client.
- A list of credentials acceptable to the [=[RP]=] (possibly filtered by the client), if any.
- Extension data created by the client based on the extensions requested by the [=[RP]=], if any.
Expand Down

0 comments on commit 5a8970e

Please sign in to comment.