Skip to content

Commit

Permalink
Merge branch 'main' into jeffh-fix-1658-device-bound-key-extension
Browse files Browse the repository at this point in the history
  • Loading branch information
@equalsJeffH
equalsJeffH committed Nov 12, 2021
2 parents d0bef33 + a4b80ad commit 89cec45
Showing 1 changed file with 43 additions and 13 deletions.
56 changes: 43 additions & 13 deletions index.bs
View file
Original file line number Diff line number Diff line change
Expand Up @@ -232,7 +232,7 @@ spec: FIDO-U2F-Message-Formats; urlPrefix: https://fidoalliance.org/specs/fido-u
text: Section 4.3; url: registration-response-message-success
text: Section 5.4; url: authentication-response-message-success

spec: FIDO-Registry; urlPrefix: https://fidoalliance.org/specs/fido-v2.0-id-20180227/fido-registry-v2.0-id-20180227.html
spec: FIDO-Registry; urlPrefix: https://fidoalliance.org/specs/common-specs/fido-registry-v2.1-ps-20191217.html
type: dfn
text: Section 3.1 User Verification Methods; url: user-verification-methods
text: Section 3.2 Key Protection Types; url: key-protection-types
Expand Down Expand Up @@ -1052,7 +1052,7 @@ The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "S
given in this specification, and handling communication between [=authenticators=] and [=[RPS]=].

: <dfn>Credential ID</dfn>
:: A probabilistically-unique [=byte sequence=] identifying a [=public key credential source=] and its [=authentication assertions=].
:: A probabilistically-unique [=byte sequence=] identifying a [=public key credential source=] and its [=authentication assertions=]. At most 1023 bytes long.

Credential IDs are generated by [=authenticators=] in two forms:
1. At least 16 bytes that include at least 100 bits of entropy, or
Expand Down Expand Up @@ -1380,6 +1380,7 @@ that are returned to the caller when a new credential is created, or a new asser
interface PublicKeyCredential : Credential {
[SameObject] readonly attribute ArrayBuffer rawId;
[SameObject] readonly attribute AuthenticatorResponse response;
[SameObject] readonly attribute DOMString? authenticatorAttachment;
AuthenticationExtensionsClientOutputs getClientExtensionResults();
};
</xmp>
Expand All @@ -1398,6 +1399,26 @@ that are returned to the caller when a new credential is created, or a new asser
{{CredentialsContainer/create()}}, this attribute's value will be an {{AuthenticatorAttestationResponse}}, otherwise,
the {{PublicKeyCredential}} was created in response to {{CredentialsContainer/get()}}, and this attribute's value
will be an {{AuthenticatorAssertionResponse}}.

: <dfn>authenticatorAttachment</dfn>
:: This attribute reports the [=authenticator attachment modality=] in effect at the time the
{{CredentialsContainer/create()|navigator.credentials.create()}} or
{{CredentialsContainer/get()|navigator.credentials.get()}} methods successfully complete.
The attribute’s value SHOULD be a member of {{AuthenticatorAttachment}}. [=[RPS]=] SHOULD treat unknown values
as if the value were null.

<div class="note">
Note: If, as the result of a [=registration ceremony|registration=] or [=authentication ceremony=], {{PublicKeyCredential/authenticatorAttachment}}'s value is "cross-platform" and
concurrently {{isUserVerifyingPlatformAuthenticatorAvailable}} returns [TRUE], then the user employed a [=roaming authenticator=] for this [=ceremony=] while there is an available
[=platform authenticator=]. Thus the [=[RP]=] has the opportunity to prompt the user to register the available [=platform authenticator=], which may enable more streamlined user experience flows.

An [=authenticator's=] [=authenticator attachment modality|attachment modality=] could change over time.
For example, a mobile phone might at one time only support [=platform attachment=]
but later receive updates to support [=cross-platform attachment=] as well.
</div>




: {{PublicKeyCredential/getClientExtensionResults()}}
:: This operation returns the value of {{PublicKeyCredential/[[clientExtensionsResults]]}}, which is a [=map=] containing
Expand Down Expand Up @@ -1662,7 +1683,7 @@ a numbered step. If outdented, it (today) is rendered as a bullet in the midst o

1. If <code>|options|.{{PublicKeyCredentialCreationOptions/authenticatorSelection}}</code> is present:

1. If <code>|options|.{{PublicKeyCredentialCreationOptions/authenticatorSelection}}.{{authenticatorAttachment}}</code> is
1. If <code>|options|.{{PublicKeyCredentialCreationOptions/authenticatorSelection}}.{{AuthenticatorSelectionCriteria/authenticatorAttachment}}</code> is
present and its value is not equal to |authenticator|'s [=authenticator attachment modality=], [=iteration/continue=].

1. If <code>|options|.{{PublicKeyCredentialCreationOptions/authenticatorSelection}}.{{residentKey}}</code>
Expand Down Expand Up @@ -1867,6 +1888,9 @@ a numbered step. If outdented, it (today) is rendered either as a bullet in the
: {{PublicKeyCredential/[[identifier]]}}
:: |id|

: {{PublicKeyCredential/authenticatorAttachment}}
:: The {{AuthenticatorAttachment}} value matching the current [=authenticator attachment modality=] of |authenticator|.

: {{PublicKeyCredential/response}}
:: A new {{AuthenticatorAttestationResponse}} object associated with |global| whose fields are:

Expand Down Expand Up @@ -2233,10 +2257,12 @@ When this method is invoked, the user agent MUST execute the following algorithm
1. Let |pubKeyCred| be a new {{PublicKeyCredential}} object associated with |global| whose fields are:

: {{PublicKeyCredential/[[identifier]]}}

:: A new {{ArrayBuffer}}, created using |global|'s [=%ArrayBuffer%=], containing the bytes of
<code>|assertionCreationData|.[=credentialIdResult=]</code>.

: {{PublicKeyCredential/authenticatorAttachment}}
:: The {{AuthenticatorAttachment}} value matching the current [=authenticator attachment modality=] of |authenticator|.

: {{PublicKeyCredential/response}}
:: A new {{AuthenticatorAssertionResponse}} object associated with |global| whose fields are:

Expand Down Expand Up @@ -2711,7 +2737,8 @@ attributes.
This enumeration's values describe [=authenticators=]' [=authenticator attachment modality|attachment modalities=].
[=[RPS]=] use this to express a preferred [=authenticator attachment modality=]
when calling {{CredentialsContainer/create()|navigator.credentials.create()}}
to [[#sctn-createCredential|create a credential]].
to [[#sctn-createCredential|create a credential]], and [=clients=] use this to report the [=authenticator attachment modality=]
used to complete a [=registration ceremony|registration=] or [=authentication ceremony=].

<xmp class="idl">
enum AuthenticatorAttachment {
Expand Down Expand Up @@ -4107,6 +4134,8 @@ The privacy, security and operational characteristics of [=attestation=] depend
- The characteristics of the individual [=authenticator=], such as its construction, whether part or all of it runs in a secure
operating environment, and so on.

The [=attestation type=] and [=attestation statement format=] is chosen by the [=authenticator=];
[=[RPS]=] can only signal limited [=attestation conveyance=] preferences during [=registration=].
It is expected that most [=authenticators=] will support a small number of [=attestation types=] and [=attestation statement
formats=], while [=[RPS]=] will decide what [=attestation types=] are acceptable to them by policy. [=[RPS]=] will also need to
understand the characteristics of the [=authenticators=] that they trust, based on information they have about these
Expand All @@ -4133,7 +4162,7 @@ object=] for a given credential. Its format is shown in <a href="#table-attested
<tr>
<td><dfn>credentialIdLength</dfn></td>
<td>2</td>
<td>Byte length <strong>L</strong> of Credential ID, 16-bit unsigned big-endian integer.</td>
<td>Byte length <strong>L</strong> of [=credentialId=], 16-bit unsigned big-endian integer. Value MUST be &le; 1023.</td>
</tr>
<tr>
<td><dfn>credentialId</dfn></td>
Expand Down Expand Up @@ -4279,7 +4308,7 @@ calling {{CredentialsContainer/create()|navigator.credentials.create()}} they se
[=attestation type=] as a part of [=verification procedure|verification=]. See the "Verification procedure" subsections of
[[#sctn-defined-attestation-formats]]. See also [[#sctn-attestation-privacy]]. For all [=attestation types=] defined in this
section other than [=self attestation|Self=] and [=None=], [=[RP]=] [=verification procedure|verification=] is followed by
matching the [=attestation trust path|trust path=] to an acceptable root certificate per step 21 of [[#sctn-registering-a-new-credential]].
matching the [=attestation trust path|trust path=] to an acceptable root certificate per step 20 of [[#sctn-registering-a-new-credential]].
Differentiating these [=attestation types=] becomes useful primarily as a means for determining if the [=attestation=] is acceptable
under [=[RP]=] policy.

Expand Down Expand Up @@ -4491,8 +4520,9 @@ In order to perform a [=registration ceremony=], the [=[RP]=] MUST proceed as fo
- If [=None|no attestation=] was provided, verify that [=None=] attestation is acceptable under [=[RP]=] policy.
- If [=self attestation=] was used, verify that [=self attestation=] is acceptable under [=[RP]=] policy.
- Otherwise, use the X.509 certificates returned as the [=attestation trust path=] from the [=verification procedure=]
to verify that the attestation public key either correctly chains up to an acceptable root certificate, or is itself an acceptable certificate (i.e., it and the root certificate obtained in Step 20 may be the same).
to verify that the attestation public key either correctly chains up to an acceptable root certificate, or is itself an acceptable certificate (i.e., it and the root certificate obtained in Step 19 may be the same).

1. Check that the <code>[=credentialId=]</code> is &le; 1023 bytes. Credential IDs larger than this many bytes SHOULD cause the RP to fail this [=registration ceremony=].

1. Check that the <code>[=credentialId=]</code> is not yet registered to any other user. If registration
is requested for a credential that is already registered to a different user, the [=[RP]=] SHOULD
Expand All @@ -4516,7 +4546,7 @@ In order to perform a [=registration ceremony=], the [=[RP]=] MUST proceed as fo
of the {{PublicKeyCredentialRequestOptions/allowCredentials}} option in future {{CredentialsContainer/get()}} calls
to help the [=client=] know how to find a suitable [=authenticator=].

1. If the attestation statement |attStmt| successfully verified but is not trustworthy per step 21 above, the [=[RP]=] SHOULD fail
1. If the attestation statement |attStmt| successfully verified but is not trustworthy per step 20 above, the [=[RP]=] SHOULD fail
the [=registration ceremony=].

NOTE: However, if permitted by policy, the [=[RP]=] MAY register the [=credential ID=] and credential public key but treat the
Expand All @@ -4525,7 +4555,7 @@ In order to perform a [=registration ceremony=], the [=[RP]=] MUST proceed as fo
See [[FIDOSecRef]] and [[UAFProtocol]] for a more detailed discussion.

Verification of [=attestation objects=] requires that the [=[RP]=] has a trusted method of determining acceptable trust anchors
in step 20 above. Also, if certificates are being used, the [=[RP]=] MUST have access to certificate status information for the
in step 19 above. Also, if certificates are being used, the [=[RP]=] MUST have access to certificate status information for the
intermediate CA certificates. The [=[RP]=] MUST also be able to build the attestation certificate chain if the client did not
provide this chain in the attestation information.

Expand Down Expand Up @@ -7383,9 +7413,9 @@ for their contributions as our W3C Team Contacts.
"FIDO-Registry": {
"authors": ["R. Lindemann", "D. Baghdasaryan", "B. Hill"],
"title": "FIDO Registry of Predefined Values",
"href": "https://fidoalliance.org/specs/fido-v2.0-id-20180227/fido-registry-v2.0-id-20180227.html",
"status": "FIDO Alliance Implementation Draft",
"date": "27 February 2018"
"href": "https://fidoalliance.org/specs/common-specs/fido-registry-v2.1-ps-20191217.html",
"status": "FIDO Alliance Proposed Standard",
"date": "17 December 2019"
},

"FIDO-APPID": {
Expand Down

0 comments on commit 89cec45

Please sign in to comment.