New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
TokenBindingId value doesn't permit the U2F "unused" value #798
Comments
To expound some more: The presence of the TokenBindingId indicates that the client and server negotiated and is using Token Binding, and the RP can use the ID to detect a MITM. The absence of the TokenBindingId, however, doesn't permit the RP to distinguish between these two cases:
To distinguish between the three total states, we're proposing something along the lines of replacing dictionary TokenBinding { enum TokenBIndingStatus { "present", "supported", "not supported" }; Open to suggestions, of course! |
Seems reasonable to me. I agree with making it a separate property instead of a magic value. If we rename the
Then we would have the cases
But perhaps this makes the logic too convoluted. @kpaulh's proposal does look good to me as is. |
We did consider that reduction of the status, but were thinking that the discrete states would be clearer and reduce misunderstanding. I think |
The existing string was not able to express the ternary nature of token binding for a given connection. See referenced bug for discussion. Fixes w3c#798
Kim is out at the moment so I did something that I hope is correct in #802. |
+1 Thanks, Adam! |
The existing string was not able to express the ternary nature of token binding for a given connection. See referenced bug for discussion. Fixes w3c#798
Currently the WebAuthn spec defines the TB ID as just a base64url value. This does not allow for a sentinel value that indicates that the "client supports token binding, but did not use it because server claimed no support". This value was called "unused" in U2F.
Working on a PR to rectify this.
I'm sorry this went unnoticed until now. I don't think anyone else supports TokenBinding yet (?) and I think it will be a small change.
The text was updated successfully, but these errors were encountered: