Switch |tokenBindingId| to a structure. #802
Conversation
The existing string was not able to express the ternary nature of token binding for a given connection. See referenced bug for discussion. Fixes w3c#798
index.bs
Outdated
| : {{CollectedClientData/tokenBindingId}} | ||
| :: The [=Token Binding ID=] associated with |callerOrigin|, if one is available. | ||
| : {{CollectedClientData/tokenBinding}} | ||
| :: The status of [=Token Binding=] between the client and the |callerOrigin| as well as the [=Token Binding ID=] associated with |callerOrigin|, if one is available. |
There was a problem hiding this comment.
Tiny nit: I suggest moving the comma to just before "as well": "The status of [...], as well as the [...] if one is available". So that "if one is available" refers to just the token binding ID instead of the whole structure. You're welcome to ignore this comment if you wish.
index.bs
Outdated
| : {{CollectedClientData/tokenBindingId}} | ||
| :: The [=Token Binding ID=] associated with |callerOrigin|, if one is available. | ||
| : {{CollectedClientData/tokenBinding}} | ||
| :: The status of [=Token Binding=] between the client and the |callerOrigin| as well as the [=Token Binding ID=] associated with |callerOrigin|, if one is available. |
There was a problem hiding this comment.
Tiny nit: I suggest moving the comma to just before "as well": "The status of [...], as well as the [...] if one is available". So that "if one is available" refers to just the token binding ID instead of the whole structure. You're welcome to ignore this comment if you wish.
| @@ -2930,8 +2937,7 @@ When verifying a given {{PublicKeyCredential}} structure (|credential|) as part | |||
|
|
|||
| 1. Verify that the value of <code>|C|.{{CollectedClientData/origin}}</code> matches the [=[RP]=]'s [=origin=]. | |||
|
|
|||
| 1. Verify that the value of <code>|C|.{{CollectedClientData/tokenBindingId}}</code> (if present) matches the [=Token Binding ID=] | |||
| for the TLS connection over which the signature was obtained. | |||
| 1. Verify that the value of <code>|C|.{{CollectedClientData/tokenBinding}}.{{TokenBinding/status}}</code> matches the state of [=Token Binding=] for the TLS connection over which the attestation was obtained. If [=Token Binding=] was used on that TLS connection, also verify that <code>|C|.{{CollectedClientData/tokenBinding}}.{{TokenBinding/id}}</code> matches the [=base64url encoding=] of the [=Token Binding ID=] for the connection. | |||
There was a problem hiding this comment.
"signature" has been erroneously changed to "attestation" here, in "for the TLS connection over which the signature was obtained". Perhaps we should change "signature" to "[=assertion=]" while we're at it?
There was a problem hiding this comment.
Thanks for catching that. Done.
|
thx @emlun for the fine-detail review & suggestions :) |
|
merge this? |
|
Yup. |
|
(I believe the repo is locked and so merges aren't possible, at least for me. However, if anyone has the button to click, I believe this is ready to merge.) |
The existing string was not able to express the ternary nature of token
binding for a given connection. See referenced bug for discussion.
Fixes #798
Preview | Diff