- From: Vijay Bharadwaj <vijaybh@microsoft.com>
- Date: Thu, 7 Jul 2016 08:02:53 +0000
- To: "Hodges, Jeff" <jeff.hodges@paypal.com>, "public-webauthn@w3.org" <public-webauthn@w3.org>
One way to do this would be to use inheritance - define a base type WebAuthnAssertion with just a credential member and then derive interfaces from it with additional members as needed.
Another way would be to define the assertion as having type any, and specify in the text of the spec how the type is determined based on the AssertionFormat (how do you feel about this shortened name btw?).
-----Original Message-----
From: Hodges, Jeff [mailto:jeff.hodges@paypal.com]
Sent: Wednesday, July 06, 2016 5:20 PM
To: public-webauthn@w3.org
Subject: [webauthn] CredentialType (was: TAG review feedback: Align Credential interface with Credential Management?
On 7/6/16, 9:05 AM, "Hodges, Jeff" <jeff.hodges@paypal.com> wrote:
>On 7/5/16, 11:59 PM, "Vijay Bharadwaj via GitHub" <sysbot+gh@w3.org>
>wrote:
>
>>- Possibly rename CredentialType to version to make it clearer what
>>this field signifies (since ScopedCredential is itself arguably a
>>credential type and ScopedCredentialType is unwieldy)
[ tho Mike West has replied to the original msg, the below is a tangentially related subitem of the latter ]
the WebAuthentication API <https://w3c.github.io/webauthn/#idl-index> is only about what we've so far called "ScopedCredentials", which have various overall characteristics such as utilizing asymmetric key pairs, plus associated signature and hash algs, and being scoped to RPs based on
eTLD+1.
So I agree with Vijay that we should rename CredentialType. As Vijay noted (on the call today) that someone(s) have mentioned: perhaps it could be used to signify assertions' particular construction aka "signature & assertion format", in similar fashion to "attestation format". I think we should look into doing that, which inherently incorporates a notion of "version" because if in the future a particular "signature & assertion format" is altered, we can assign the new format a new name.
Also, presently, CredentialType (aka SignatureFormat) and AlgorithmIdentifier (i.e., the cryptographic parameters) are separate items..
dictionary ScopedCredentialParameters {
required CredentialType type;
required AlgorithmIdentifier algorithm;
};
..and, AFAICT, the signature format section [1] of the spec is orthogonal to the particular crypto key pair type + sig alg, which are specified by ScopedCredentialParameters.algorithm.
So perhaps we can rename CredentialType to something like SignatureAndAssertionFormat, and term the present construction as "ScopedCred1" or something like that..
enum SignatureAndAssertionFormat {
"ScopedCred1"
};
..where a particular SignatureAndAssertionFormat value signifies a given composition of the clientData, authenticatorData, signature components of a WebAuthnAssertion..
interface WebAuthnAssertion {
readonly attribute Credential credential;
readonly attribute ArrayBuffer clientData;
readonly attribute ArrayBuffer authenticatorData;
readonly attribute ArrayBuffer signature;
};
..and "ScopedCred1" represents the specification of the contents of those components as specified in the WebAuthn spec.
What I'd offhand like to try to specify is something like (borrowing from TLS presentation language here (RFC5246)..
interface Credential {
readonly attribute SignatureAndAssertionFormat sigAssnFmt;
readonly attribute BufferSource id;
};
interface WebAuthnAssertion {
readonly attribute Credential credential;
select from credential.sigAssnFmt {
case "ScopedCred1": // defined in WebAuthn Level 1 spec
readonly attribute ArrayBuffer clientData;
readonly attribute ArrayBuffer authenticatorData;
readonly attribute ArrayBuffer signature;
case "...": // defined in <fill-in-here> spec
...;
};
};
..but I don't know whether and how to do that in proper webidl.
thoughts?
=JeffH
[1] https://w3c.github.io/webauthn/#signature-format
Received on Thursday, 7 July 2016 08:04:16 UTC