Skip to content

Commit

Permalink
decorate all RP ID occurances
Browse files Browse the repository at this point in the history
  • Loading branch information
JeffH authored and JeffH committed May 7, 2017
1 parent 6d4cfff commit a76f962
Showing 1 changed file with 19 additions and 19 deletions.
38 changes: 19 additions & 19 deletions index.bs
View file
Original file line number Diff line number Diff line change
Expand Up @@ -387,9 +387,9 @@ the full [=origin=] of the requester is included, and signed over, in the [=atte
is created as well as in all assertions produced by WebAuthn credentials.

Additionally, to maintain user privacy and prevent malicious [RPS] from probing for the presence of credentials belonging to
other [RPS], each credential is also associated with a Relying Party Identifier, or RP ID. This RP ID is provided by the client
other [RPS], each credential is also associated with a Relying Party Identifier, or [=RP ID=]. This [=RP ID=] is provided by the client
to the authenticator for all operations, and the authenticator ensures that credentials created by a [=[RP]=] can only be used
in operations requested by the same RP ID. Separating the [=origin=] from the RP ID in this way allows the API to be used in
in operations requested by the same [=RP ID=]. Separating the [=origin=] from the [=RP ID=] in this way allows the API to be used in
cases where a single [=[RP]=] maintains multiple [=origins=].

The client facilitates these security measures by providing correct [=origins=] and RP IDs to the [=authenticator=] for each
Expand Down Expand Up @@ -1370,7 +1370,7 @@ The [=authenticator data=] structure is a byte array of 37 bytes or more, as fol
<tr>
<td>32</td>
<td>
SHA-256 hash of the RP ID associated with the credential.
SHA-256 hash of the [=RP ID=] associated with the credential.
</td>
</tr>
<tr>
Expand Down Expand Up @@ -1403,11 +1403,11 @@ The [=authenticator data=] structure is a byte array of 37 bytes or more, as fol
</tr>
</table>

The RP ID is originally received from the client when the credential is created, and again when an assertion is generated.
However, it differs from other [=client data=] in some important ways. First, unlike the client data, the RP ID of a credential
The [=RP ID=] is originally received from the client when the credential is created, and again when an assertion is generated.
However, it differs from other [=client data=] in some important ways. First, unlike the client data, the [=RP ID=] of a credential
does not change between operations but instead remains the same for the lifetime of that credential. Secondly, it is validated
by the authenticator during the [=authenticatorGetAssertion=] operation, by verifying that the RP ID associated with the
requested credential exactly matches the RP ID supplied by the client.
by the authenticator during the [=authenticatorGetAssertion=] operation, by verifying that the [=RP ID=] associated with the
requested credential exactly matches the [=RP ID=] supplied by the client.

The `TUP` flag SHALL be set if and only if the authenticator detected a user through an authenticator specific gesture. The `RFU` bits
SHALL be set to zero.
Expand Down Expand Up @@ -1472,9 +1472,9 @@ When this operation is invoked, the authenticator must perform the following pro
parameters supported by this authenticator.
- Generate an identifier for this credential, such that this identifier is globally unique with high probability across all
credentials with the same type across all authenticators.
- Associate the credential with the specified RP ID and the user's account identifier
- Associate the credential with the specified [=RP ID=] and the user's account identifier
{{MakeCredentialOptions/user}}.{{PublicKeyCredentialEntity/id}}.
- Delete any older credentials with the same RP ID and {{MakeCredentialOptions/user}}.{{PublicKeyCredentialEntity/id}} that
- Delete any older credentials with the same [=RP ID=] and {{MakeCredentialOptions/user}}.{{PublicKeyCredentialEntity/id}} that
are stored locally in the authenticator.
- If any error occurred while creating the new credential object, return an error code equivalent to UnknownError and terminate
the operation.
Expand All @@ -1500,7 +1500,7 @@ When this method is invoked, the authenticator must perform the following proced
- Check if all the supplied parameters are syntactically well-formed and of the correct length. If not, return an error code
equivalent to UnknownError and terminate the operation.
- If a list of credentials was supplied by the client, filter it by removing those credentials that are not present on this
authenticator. If no list was supplied, create a list with all credentials stored for the caller's RP ID (as determined by
authenticator. If no list was supplied, create a list with all credentials stored for the caller's [=RP ID=] (as determined by
an exact match of the RP ID).
- If the previous step resulted in an empty list, return an error code equivalent to NotAllowedError and terminate the
operation.
Expand Down Expand Up @@ -1847,7 +1847,7 @@ When registering a new credential, represented by a {{AuthenticatorAttestationRe
{{AuthenticatorAttestationResponse}} structure to obtain the attestation statement format |fmt|, the [=authenticator data=]
|authData|, and the attestation statement |attStmt|.

8. Verify that the RP ID hash in |authData| is indeed the SHA-256 hash of the RP ID expected by the RP.
8. Verify that the [=RP ID=] hash in |authData| is indeed the SHA-256 hash of the [=RP ID=] expected by the RP.

9. Determine the attestation statement format by performing an USASCII case-sensitive match on |fmt| against the set of
supported WebAuthn Attestation Statement Format Identifier values.
Expand Down Expand Up @@ -1922,7 +1922,7 @@ MUST proceed as follows:
[=[RP]=] and that the {{CollectedClientData/authenticatorExtensions}} in |C| is also a proper subset of the extensions
requested by the [=[RP]=].

8. Verify that the RP ID hash in |aData| is the SHA-256 hash of the RP ID expected by the [=[RP]=].
8. Verify that the [=RP ID=] hash in |aData| is the SHA-256 hash of the [=RP ID=] expected by the [=[RP]=].

9. Let |hash| be the result of computing a hash over the |cData| using the algorithm represented by the
{{CollectedClientData/hashAlg}} member of |C|.
Expand Down Expand Up @@ -2264,7 +2264,7 @@ been used for the attestation=] is consistent with the fields of the attestation
- The value of the `attestationChallenge` field is identical to the concatenation of |authenticatorData| and
|clientDataHash|.
- The `AuthorizationList.allApplications` field is <em>not</em> present, since PublicKeyCredentials must be bound to the
RP ID.
[=RP ID=].
- The value in the `AuthorizationList.origin` field is equal to `KM_TAG_GENERATED`.
- The value in the `AuthorizationList.purpose` field is equal to `KM_PURPOSE_SIGN`.
- If successful, return attestation type Basic with the trust path set to the entire attestation statement.
Expand Down Expand Up @@ -2374,7 +2374,7 @@ This attestation statement format is used with FIDO U2F authenticators using the
|clientDataHash|.

Generate a signature as specified in [[FIDO-U2F-Message-Formats]] section 4.3, with the application parameter set to the
SHA-256 hash of the RP ID associated with the given credential, the challenge parameter set to |tbsHash|, and the key handle
SHA-256 hash of the [=RP ID=] associated with the given credential, the challenge parameter set to |tbsHash|, and the key handle
parameter set to the credential ID of the given credential. Set this as |sig| and set the attestation certificate of
the attestation public key as |x5c|.

Expand All @@ -2386,9 +2386,9 @@ This attestation statement format is used with FIDO U2F authenticators using the
|clientDataHash| denote the [=hash of the serialized client data=].
- If |clientDataHash| is 256 bits long, set |tbsHash| to this value. Otherwise set |tbsHash| to the SHA-256
hash of |clientDataHash|.
- From |authenticatorData|, extract the claimed RP ID hash, the claimed credential ID and the claimed credential public key.
- From |authenticatorData|, extract the claimed [=RP ID=] hash, the claimed credential ID and the claimed credential public key.
- Generate the claimed to-be-signed data as specified in [[FIDO-U2F-Message-Formats]] section 4.3, with the application
parameter set to the claimed RP ID hash, the challenge parameter set to |tbsHash|, the key handle parameter set to the
parameter set to the claimed [=RP ID=] hash, the challenge parameter set to |tbsHash|, the key handle parameter set to the
claimed credential ID of the given credential, and the user public key parameter set to the claimed credential public
key.
- Verify that the |sig| is a valid ECDSA P-256 signature over the to-be-signed data constructed above.
Expand Down Expand Up @@ -2838,7 +2838,7 @@ This [=registration extension=] and [=authentication extension=] enables use of

Example for [=authenticator data=] containing one UVI extension
<pre>
... -- RP ID hash (32 bytes)
... -- [=RP ID=] hash (32 bytes)
81 -- TUP and ED set
00 00 00 01 -- (initial) signature counter
... -- all public key alg etc.
Expand Down Expand Up @@ -2888,7 +2888,7 @@ WebAuthn relying party.
Specification](https://dev.w3.org/geo/api/spec-source.html#coordinates_interface).

<pre>
... -- RP ID hash (32 bytes)
... -- [=RP ID=] hash (32 bytes)
81 -- TUP and ED set
00 00 00 01 -- (initial) signature counter
... -- all public key alg etc.
Expand Down Expand Up @@ -2962,7 +2962,7 @@ This [=registration extension=] and [=authentication extension=] enables use of
Example for [=authenticator data=] containing one UVM extension for a multi-factor authentication instance where 2 factors
were used:
<pre>
... -- RP ID hash (32 bytes)
... -- [=RP ID=] hash (32 bytes)
81 -- TUP and ED set
00 00 00 01 -- (initial) signature counter
... -- all public key alg etc.
Expand Down

0 comments on commit a76f962

Please sign in to comment.