Acceptable UV caching time affordance extension added #2021
There are no files selected for viewing
| Original file line number | Diff line number | Diff line change | ||||
|---|---|---|---|---|---|---|
|
|
@@ -7580,6 +7580,61 @@ To <dfn abstract-op>Create a new supplemental public key record</dfn>, perform t | |||||
| [=set/append=] this [=supplemental public key record=] to |credentialRecord|.[$credential record/supplementalPubKeys$]. | ||||||
|
|
||||||
|
|
||||||
| ### User verification caching extension (userVerificationCaching) ### {#sctn-user-verification-caching-extension} | ||||||
|
|
||||||
| In some cases it is good enough for the [=[RP]=] to know whether the user was verified by the authenticator "recently". | ||||||
|
|
||||||
| This extension allows the [=[RP]=] to specify such [=user verification=] caching time, i.e. the time for which the [=user verification=] status can be "cached" by the [=authenticator=]. | ||||||
|
|
||||||
| For example: Do not ask the user for a fresh [=user verification=] for sign-in if the user was verified by this authenticator within the past 300 seconds. | ||||||
|
|
||||||
| : Extension identifier | ||||||
| :: `userVerificationCaching` | ||||||
|
|
||||||
| : Operation applicability | ||||||
| :: [=authentication extension|authentication=] | ||||||
|
|
||||||
| : Client extension input | ||||||
| :: The maxTimeSinceLastUV denotes the maximum acceptable number of milliseconds elapsed since the last time the user was successfully verified. | ||||||
|
There was a problem hiding this comment. Should we bound this with a min and max? (#2034 (comment)) |
||||||
| <xmp class="idl"> | ||||||
| partial dictionary AuthenticationExtensionsClientInputs { | ||||||
| unsigned long long maxTimeSinceLastUV; | ||||||
|
There was a problem hiding this comment. This member name needs to be the same as the extension identifier.
Suggested change
There was a problem hiding this comment. should There was a problem hiding this comment. Yes, ...oh, I was about to say we use the same type for |
||||||
| }; | ||||||
| </xmp> | ||||||
|
|
||||||
| : Client extension processing | ||||||
| :: None, except creating the [=authenticator extension input=] from the client extension input. | ||||||
|
|
||||||
| : Client extension output | ||||||
| :: Returns the number of milliseconds elapsed since the last time the user was successfully verified as returned by the [=authenticator=]. | ||||||
|
|
||||||
| <xmp class="idl"> | ||||||
| partial dictionary AuthenticationExtensionsClientOutputs { | ||||||
| unsigned long long timeSinceLastUV; | ||||||
|
There was a problem hiding this comment. This member name needs to be the same as the extension identifier.
Suggested change
|
||||||
| }; | ||||||
| </xmp> | ||||||
|
|
||||||
| : Authenticator extension input | ||||||
| :: The maximum acceptable time in milliseconds elapsed since last user verification, encoded in CBOR. | ||||||
|
There was a problem hiding this comment. What's missing here is the negative case - if this extension is not present, do not allow caching at all. This needs to be clearly stated in the spec. |
||||||
|
|
||||||
| ``` | ||||||
| $$extensionInput //= ( | ||||||
| mtslUV: uint .size 4 | ||||||
|
There was a problem hiding this comment. This member name needs to be the same as the extension identifier.
Suggested change
|
||||||
| ) | ||||||
| ``` | ||||||
|
|
||||||
| : Authenticator extension processing | ||||||
| :: When user verification is requested, the [=authenticator=] triggers user verification only if more milliseconds have elapsed since the last time the user was verified than indicated by the maxTimeSinceLastUV value in the extension. | ||||||
|
There was a problem hiding this comment. "If more milliseconds have elapsed since the last time the user was verified than indicated by the maxTimeSinceLastUV value in the extension, request [=user verification=]." |
||||||
|
|
||||||
| : Authenticator extension output | ||||||
| :: If no fresh user verification needed to be triggered triggered, the authenticator reports the time last last user verification time back to the [=[RP]=] to ensure the [=[RP]=] is aware that no fresh user verification was triggered. It is up to the authenticator to decide whether to return the real elapsed time, or a "rounded" value. If user verification was requested, this value SHALL not exceed the value originally provided in the extension input. | ||||||
|
There was a problem hiding this comment. What is the extension output if UV is done as part of the current ceremony? I know that the UV bit should be set in authenticatorData, but should the extension output also be set with a value of 0 perhaps? The purpose of returning that is to at least indicate to the RP that the extension was acknowledge and processed. The RP could infer that UV was done, but might otherwise not have been if the maxTimeSinceLastUV had been shorter. This would differentiate it from an authenticator that doesn't support the extension and just did UV because it always does UV when There was a problem hiding this comment. To be clear, the suggestion here is that extension output should be set to |
||||||
|
|
||||||
| ``` | ||||||
| $$extensionOutput //= ( | ||||||
| tslUV: uint .size 4 | ||||||
|
There was a problem hiding this comment. This member name needs to be the same as the extension identifier.
Suggested change
|
||||||
| ) | ||||||
| ``` | ||||||
|
|
||||||
|
|
||||||
| # User Agent Automation # {#sctn-automation} | ||||||
|
|
||||||
| For the purposes of user agent automation and [=web application=] testing, this document defines a number of [[WebDriver]] [=extension commands=]. | ||||||
|
|
||||||
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This is where the user verification selection criteria should go IMO.
Also shouldn't this apply to both creation and authentication?
If so, suggest the following: