- From: Alexei Czeskis <aczeskis@google.com>
- Date: Tue, 11 Apr 2017 12:40:39 -0700
- To: "J.C. Jones" <jc@mozilla.com>
- Cc: "public-webauthn@w3.org" <public-webauthn@w3.org>, Vijay Bharadwaj <vijaybh@microsoft.com>, Angelo Liao <huliao@microsoft.com>, Anthony Nadalin <tonynad@microsoft.com>, Mike West <mkwst@google.com>, "Hodges, Jeff" <jeff.hodges@paypal.com>
- Message-ID: <CAM_SUqeRaUamhoKY40cs2q-8+UfHDnFfvS5wjFZ7oV0hP7A_Vg@mail.gmail.com>
I'll throw up (not literally) a PR by EOD.
Thanks!
-Alexei
*____**_**__**_**_**_**_**_**_**_**_**_*
. Alexei Czeskis .:. Securineer .:. 317.698.4740 .
On Tue, Apr 11, 2017 at 12:29 PM, J.C. Jones <jc@mozilla.com> wrote:
> Yes, I, too, would like to see a PR for this alignment. I like it, too!
>
> We've been holding off on further implementation in Firefox waiting for PR
> #384 to merge; Everyone I've involved over here in Mozilla agrees that
> CredMan and WebAuthn lining up like this would be a good thing. To use
> Vijay's want list, I'm not hung up on aligning method names (Vijay's #3),
> but I strongly believe we should get the rest of the alignment before
> moving to an implementation draft.
>
> J.C.
>
>
>
>
>
> On Tue, Apr 11, 2017 at 11:53 AM, Angelo Liao <huliao@microsoft.com>
> wrote:
>
>> Alexei, can you please create a PR based on the proposal below? This way
>> we can move the conversation along much sooner. If you are busy, I can help
>> create the PR. In the interest of expediency, let’s not worry too much
>> about the editorials in the PR.
>>
>>
>>
>> *From:* Vijay Bharadwaj [mailto:vijaybh@microsoft.com]
>> *Sent:* Tuesday, April 11, 2017 9:28 AM
>> *To:* Alexei Czeskis <aczeskis@google.com>; Anthony Nadalin <
>> tonynad@microsoft.com>; Mike West <mkwst@google.com>
>> *Cc:* Hodges, Jeff <jeff.hodges@paypal.com>; public-webauthn@w3.org
>> *Subject:* RE: PR #384 CredMan Integration
>>
>>
>>
>> I would love to make the world a better place better.
>>
>>
>>
>> In my mind, the merge has 3 parts:
>>
>> 1. Align namespaces between WebAuthn and Credential Management
>> 2. Align the API calling patterns (dictionaries instead of explicitly
>> enumerated arguments)
>> 3. Align the method names (get, create, store)
>>
>>
>>
>> Of these I think #1 and #2 are the must-haves, and #3 is something that I
>> personally would not be upset to postpone to a v2. This allows us to focus
>> on syntactic questions for now and avoid the more contentious questions
>> around method naming which often become about semantics. From a practical
>> perspective, renaming methods is also fairly easy to do later.
>>
>>
>>
>> So I like this proposal since it attempts something like the above.
>>
>>
>>
>> @Mike West <mkwst@google.com> – what is your opinion?
>>
>>
>>
>> *From:* Alexei Czeskis [mailto:aczeskis@google.com <aczeskis@google.com>]
>>
>> *Sent:* Tuesday, April 11, 2017 9:05 AM
>> *To:* Anthony Nadalin <tonynad@microsoft.com>
>> *Cc:* Hodges, Jeff <jeff.hodges@paypal.com>; public-webauthn@w3.org
>> *Subject:* Re: PR #384 CredMan Integration
>>
>>
>>
>> Dear list,
>>
>>
>>
>> I'm all for getting the spec done fast, for getting implementations out
>> fast, and for making the world a better place faster. If we want to speed
>> things up, I'm not convinced that the PR as it is right now is the right
>> move. I'm not simply arguing for making fast progress and accepting a
>> messy API landscape in return. I'm arguing for not venturing into the
>> unknown to find the perfect -- in effect passing on the known-good.
>>
>>
>>
>> I believe that in its current form, the merge will cause questions that
>> will take a while to iron out. I would suggest an alternate approach: hold
>> off on the merge until the proposal does not have as many unknowns. Maybe
>> that means waiting until version 2. It's true that at that point we'll
>> have gone down different roads with credman and merging might be harder,
>> but surely worse things have happened.
>>
>>
>>
>> In my opinion, the big reason to be hesitant about this merge is that it
>> takes us down the path of one single .makeAuthFactor() and one single
>> .getAuthFactor() methods. Where .makeAuthFactor() can result in a
>> username/password, password, oauth token, url of oauth provider, a public
>> key of one kind or another. I'm not convinced that that's the right big
>> picture approach. Maybe it is, maybe it isn't -- but going down that path
>> opens up A LOT of questions, not just about the specs, but about UI/UX as
>> well. For example, for usernames and password -- the browser manages
>> identities and shows the UX for selection. For authenticators such as
>> phones, the phone does. I'm not sure what the right way to show UX is
>> there. Maybe it's not a problem for Edge that might just call Hello, but
>> I'm not sure what cross-operating-system browsers such as FF and Chrome
>> would do. Or for example, consider during the create account phase when
>> acme.com
>> <https://na01.safelinks.protection.outlook.com/?url=http%3A%2F%2Facme.com&data=02%7C01%7Cvijaybh%40microsoft.com%7C379d26bc14434305cae908d480f4c28f%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C636275236106499268&sdata=P9IRMUYJHJFX%2F00wuHra2nQutIA2F%2Bwg45LNrX4cyeo%3D&reserved=0>
>> tells the browser that it'll accept a username/password/oauth token from
>> Google or Facebook or an Authenticator -- what does the browser draw then?
>> How does the user choose? We haven't figured out what it means to not
>> require user mediation for webauthn, because there are lots of details.
>> The relationships between user accounts and passwords is 1:1 -- but that's
>> not the case for users and authenticators.
>>
>>
>>
>> I can keep going, but the point is that there are questions here -- lots
>> of them. It will take a while to iron them out, to play with
>> implementations, to iterate, to refactor, to make a UX that users
>> understand. On the other hand, we pretty much know how to build webauthn
>> in its current form. It's self-contained and doesn't depend on any
>> outsides specs. If I understand the proposed merge correctly, it also
>> requires that the credential management API be changed. So now, before any
>> webauthn api can be put out, the credential management API must be
>> refactored and only then can webauthn be developed. Also, let's not forget
>> that there are websites that depend on the current credential management
>> API.
>>
>>
>>
>> Perhaps my English is a bit Russian, but this emails is meant not a
>> "whimper", but as a well-laid-out, technically-sound argument, worthy of
>> your serious consideration. I look forward to your comments and feedback!
>>
>>
>>
>>
>>
>> The PR is not the only possible credman merge proposal. Here is another
>> (if you don't like this one, we've got another):
>>
>>
>> interface Credential {
>> readonly attribute USVString id
>> <https://na01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.w3.org%2FTR%2Fcredential-management-1%2F%23dom-credential-id&data=02%7C01%7Cvijaybh%40microsoft.com%7C379d26bc14434305cae908d480f4c28f%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C636275236106499268&sdata=9wMLtOqWvZhMatp3SFzvInHOLsMCc2%2BjDopX2iXONjs%3D&reserved=0>
>> ;
>> readonly attribute DOMString type
>> <https://na01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.w3.org%2FTR%2Fcredential-management-1%2F%23dom-credential-type&data=02%7C01%7Cvijaybh%40microsoft.com%7C379d26bc14434305cae908d480f4c28f%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C636275236106499268&sdata=6z8VwfqpQH2WwuLyKbRZndwG3FJWUD1nFHhX%2Fi9D1k4%3D&reserved=0>
>> ;
>> };
>>
>> ----------------------------------------------------
>>
>> interface BearerCredential : Credential
>> <https://na01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.w3.org%2FTR%2Fcredential-management-1%2F%23credential&data=02%7C01%7Cvijaybh%40microsoft.com%7C379d26bc14434305cae908d480f4c28f%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C636275236106499268&sdata=Sw%2FQdzPYLG46BCj8f4HkqhAEVMuv90Vb0ltONacaRUU%3D&reserved=0>
>> {
>> readonly attribute USVString name
>> <https://na01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.w3.org%2FTR%2Fcredential-management-1%2F%23dom-siteboundcredential-name&data=02%7C01%7Cvijaybh%40microsoft.com%7C379d26bc14434305cae908d480f4c28f%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C636275236106499268&sdata=BGguYpusmTlh4mUn9WcVQ%2FsAUrEoXvWNMf2KRmjIx%2BQ%3D&reserved=0>
>> ;
>> readonly attribute USVString iconURL
>> <https://na01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.w3.org%2FTR%2Fcredential-management-1%2F%23dom-siteboundcredential-iconurl&data=02%7C01%7Cvijaybh%40microsoft.com%7C379d26bc14434305cae908d480f4c28f%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C636275236106499268&sdata=lJBasRJm4CBOU6%2BcTrrS5uQ3VMcNK65%2B%2FjNqw3laTr8%3D&reserved=0>
>> ;
>> };
>>
>> interface PasswordCredential :
>> <https://na01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.w3.org%2FTR%2Fcredential-management-1%2F%23siteboundcredential&data=02%7C01%7Cvijaybh%40microsoft.com%7C379d26bc14434305cae908d480f4c28f%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C636275236106499268&sdata=LdbAxpd%2FK%2FGCiFCDocc%2BcXAHV0CzCzy4g7SuBqw0hzY%3D&reserved=0>BearerCredential
>> {
>> attribute USVString idName
>> <https://na01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.w3.org%2FTR%2Fcredential-management-1%2F%23dom-passwordcredential-idname&data=02%7C01%7Cvijaybh%40microsoft.com%7C379d26bc14434305cae908d480f4c28f%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C636275236106499268&sdata=tYYnsxcHSqHSDjMHGcL%2BnzqM5QJI3ZIOlnLQ7%2BjEM0c%3D&reserved=0>
>> ;
>> attribute USVString passwordName
>> <https://na01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.w3.org%2FTR%2Fcredential-management-1%2F%23dom-passwordcredential-passwordname&data=02%7C01%7Cvijaybh%40microsoft.com%7C379d26bc14434305cae908d480f4c28f%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C636275236106499268&sdata=wUugFCnwxC2O2wPpwPpWjc60mBCFO9kBhfp1sv5mjgw%3D&reserved=0>
>> ;
>>
>> attribute CredentialBodyType
>> <https://na01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.w3.org%2FTR%2Fcredential-management-1%2F%23typedefdef-credentialbodytype&data=02%7C01%7Cvijaybh%40microsoft.com%7C379d26bc14434305cae908d480f4c28f%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C636275236106499268&sdata=50%2B4AN75NhbJ3Xw49pf6xlK15PwetnOgvqs7bUDeoA4%3D&reserved=0>
>> ? additionalData
>> <https://na01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.w3.org%2FTR%2Fcredential-management-1%2F%23dom-passwordcredential-additionaldata&data=02%7C01%7Cvijaybh%40microsoft.com%7C379d26bc14434305cae908d480f4c28f%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C636275236106499268&sdata=JwjDQ6UKA5yQX59Cyx1R7auQzHvepyidJhK%2FkBIP174%3D&reserved=0>
>> ;
>> };
>>
>> // similar for FederatedCredential
>>
>> --------------------------------------------
>>
>> interface PublicKeyCredential : Credential
>> <https://na01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.w3.org%2FTR%2Fcredential-management-1%2F%23credential&data=02%7C01%7Cvijaybh%40microsoft.com%7C379d26bc14434305cae908d480f4c28f%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C636275236106499268&sdata=Sw%2FQdzPYLG46BCj8f4HkqhAEVMuv90Vb0ltONacaRUU%3D&reserved=0>
>> {
>> readonly attribute object publicKey;
>> };
>>
>>
>>
>> interface AuthenticatorResponse {
>> readonly attribute PublicKeyCredential credential;
>> readonly attribute ArrayBuffer
>> <https://na01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fheycam.github.io%2Fwebidl%2F%23idl-ArrayBuffer&data=02%7C01%7Cvijaybh%40microsoft.com%7C379d26bc14434305cae908d480f4c28f%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C636275236106499268&sdata=sh5iWlUoDPE%2FS7d3Zcdxz2vWGQasiZMyomvpnEv74uk%3D&reserved=0>
>> clientDataJSON;
>> };
>>
>>
>>
>> // note that this is just a renamed ScopedCredentialInfo,
>> // with the addition of a public key, id, and type in it (as part of the
>> // credential attribute)
>> interface MakeCredentialResponse : AuthenticatorResponse {
>> readonly attribute ArrayBuffer
>> <https://na01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fheycam.github.io%2Fwebidl%2F%23idl-ArrayBuffer&data=02%7C01%7Cvijaybh%40microsoft.com%7C379d26bc14434305cae908d480f4c28f%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C636275236106499268&sdata=sh5iWlUoDPE%2FS7d3Zcdxz2vWGQasiZMyomvpnEv74uk%3D&reserved=0>
>> attestationObject;
>> };
>>
>> // note that this is just a renamed AuthenticationAssertion
>> interface AssertionResponse : AuthenticatorResponse {
>> readonly attribute ArrayBuffer
>> <https://na01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fheycam.github.io%2Fwebidl%2F%23idl-ArrayBuffer&data=02%7C01%7Cvijaybh%40microsoft.com%7C379d26bc14434305cae908d480f4c28f%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C636275236106499268&sdata=sh5iWlUoDPE%2FS7d3Zcdxz2vWGQasiZMyomvpnEv74uk%3D&reserved=0>
>> authenticatorData;
>> readonly attribute ArrayBuffer
>> <https://na01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fheycam.github.io%2Fwebidl%2F%23idl-ArrayBuffer&data=02%7C01%7Cvijaybh%40microsoft.com%7C379d26bc14434305cae908d480f4c28f%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C636275236106509268&sdata=FNomjlyPcp8%2F38jhF8Qh8wzTxoYobZau4NDXlKM9TXY%3D&reserved=0>
>> signature;
>> };
>>
>> -------------------------------------------
>>
>> partial interface Navigator
>> <https://na01.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.w3.org%2FTR%2Fhtml5%2Fwebappapis.html%23navigator&data=02%7C01%7Cvijaybh%40microsoft.com%7C379d26bc14434305cae908d480f4c28f%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C636275236106509268&sdata=ENlfjl4YoMAqfW0VqnZwCxTixWN3ShkoFWUsmwc4GqI%3D&reserved=0>
>> {
>> readonly attribute CredentialsContainer
>> <https://na01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.w3.org%2FTR%2Fcredential-management-1%2F%23credentialscontainer&data=02%7C01%7Cvijaybh%40microsoft.com%7C379d26bc14434305cae908d480f4c28f%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C636275236106509268&sdata=CGbZosQZZWJEXXZonFKMT%2F%2F00XIBd%2BbeAA6b8AEUz9E%3D&reserved=0>
>> credentials;
>> };
>>
>> interface
>> <https://na01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fw3c.github.io%2Fhtml%2Fwebappapis.html%23navigator&data=02%7C01%7Cvijaybh%40microsoft.com%7C379d26bc14434305cae908d480f4c28f%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C636275236106509268&sdata=UAqx%2BrcyIJJI2eE5biqYJN9Q5Fxbm4Utb3ZIiQOFn%2BI%3D&reserved=0>CredentialsContainer
>> {
>> readonly attribute BearerCredentials bearer;
>> readonly attribute
>> <https://na01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fw3c.github.io%2Fwebauthn%2F%23webauthentication&data=02%7C01%7Cvijaybh%40microsoft.com%7C379d26bc14434305cae908d480f4c28f%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C636275236106509268&sdata=uWObRnwONsLacFQ97fL21Vx8wiYCs1ShNrEjbc1UW3o%3D&reserved=0>PublicKeyCredentials
>> publicKey;
>> };
>>
>> interface BearerCredentials {
>> Promise<BearerCredential?> get
>> <https://na01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.w3.org%2FTR%2Fcredential-management-1%2F%23dom-credentialscontainer-get&data=02%7C01%7Cvijaybh%40microsoft.com%7C379d26bc14434305cae908d480f4c28f%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C636275236106509268&sdata=Fzv1dQwmgDGB8gEJR6Lbqn0UL7EbLr54E4vfESp4ZLg%3D&reserved=0>
>> (CredentialRequestOptions
>> <https://na01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.w3.org%2FTR%2Fcredential-management-1%2F%23dictdef-credentialrequestoptions&data=02%7C01%7Cvijaybh%40microsoft.com%7C379d26bc14434305cae908d480f4c28f%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C636275236106509268&sdata=R8F%2F61Zw6ZpSvJt7l0sO%2FPAxQC1mx5FikpiABR14iV0%3D&reserved=0>
>> options
>> <https://na01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.w3.org%2FTR%2Fcredential-management-1%2F%23dom-credentialscontainer-get-options-options&data=02%7C01%7Cvijaybh%40microsoft.com%7C379d26bc14434305cae908d480f4c28f%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C636275236106509268&sdata=zZqV9ofVbqOOSGhMLZHzPLrlZQXgmEz3fugeZn2iLTQ%3D&reserved=0>
>> );
>> Promise<BearerCredential> store
>> <https://na01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.w3.org%2FTR%2Fcredential-management-1%2F%23dom-credentialscontainer-store&data=02%7C01%7Cvijaybh%40microsoft.com%7C379d26bc14434305cae908d480f4c28f%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C636275236106509268&sdata=GCE7yI0I7uYhPiR0UAUVVrQ6w4bwhswzz%2BSYgx0QYls%3D&reserved=0>
>> (BearerCredential credential
>> <https://na01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.w3.org%2FTR%2Fcredential-management-1%2F%23dom-credentialscontainer-store-credential-credential&data=02%7C01%7Cvijaybh%40microsoft.com%7C379d26bc14434305cae908d480f4c28f%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C636275236106509268&sdata=Bg34bd%2BYAE%2FXLKCaxy8F4OMT%2Bwr0%2BEDlDGoLcfp3w80%3D&reserved=0>
>> );
>> Promise<void> requireUserMediation
>> <https://na01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.w3.org%2FTR%2Fcredential-management-1%2F%23dom-credentialscontainer-requireusermediation&data=02%7C01%7Cvijaybh%40microsoft.com%7C379d26bc14434305cae908d480f4c28f%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C636275236106509268&sdata=PB0HsV4XJ83yUFt1ZMgc7xvx2UneGFUKgTwMKSeUtDI%3D&reserved=0>
>> ();
>> };
>>
>> // continue here as in existing CredMan API
>>
>> ------------------------------------------------------------
>>
>>
>>
>> interface
>> <https://na01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fw3c.github.io%2Fwebauthn%2F%23webauthentication&data=02%7C01%7Cvijaybh%40microsoft.com%7C379d26bc14434305cae908d480f4c28f%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C636275236106509268&sdata=uWObRnwONsLacFQ97fL21Vx8wiYCs1ShNrEjbc1UW3o%3D&reserved=0>PublicKeyCredentials
>> {
>> Promise<MakeCredentialResponse> makeCredential(
>> RelyingPartyUserInfo
>> <https://na01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fw3c.github.io%2Fwebauthn%2F%23dictdef-relyingpartyuserinfo&data=02%7C01%7Cvijaybh%40microsoft.com%7C379d26bc14434305cae908d480f4c28f%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C636275236106509268&sdata=mYgXEjE0%2BXfbp3otFsLP0nfc55hr4wcbczrmB939J9U%3D&reserved=0>
>> accountInformation
>> <https://na01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fw3c.github.io%2Fwebauthn%2F%23dom-webauthentication-makecredential-accountinformation-cryptoparameters-attestationchallenge-options-accountinformation&data=02%7C01%7Cvijaybh%40microsoft.com%7C379d26bc14434305cae908d480f4c28f%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C636275236106509268&sdata=LeYUieK3GKuOl7u5RZ8YqMAJGwhlURhaM2fq5LKJ5mI%3D&reserved=0>
>> ,
>> sequence<ScopedCredentialParameters
>> <https://na01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fw3c.github.io%2Fwebauthn%2F%23dictdef-scopedcredentialparameters&data=02%7C01%7Cvijaybh%40microsoft.com%7C379d26bc14434305cae908d480f4c28f%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C636275236106509268&sdata=dZyUkhCftziOlVGU2LMOtp0UgD2JbQd4I%2FJD6anyOBw%3D&reserved=0>
>> > cryptoParameters
>> <https://na01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fw3c.github.io%2Fwebauthn%2F%23dom-webauthentication-makecredential-accountinformation-cryptoparameters-attestationchallenge-options-cryptoparameters&data=02%7C01%7Cvijaybh%40microsoft.com%7C379d26bc14434305cae908d480f4c28f%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C636275236106509268&sdata=SUWNrlHm7tC24j1WhRpOrrYLGPwrSzW%2BIQeWFBBbx1A%3D&reserved=0>
>> ,
>> BufferSource
>> <https://na01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fheycam.github.io%2Fwebidl%2F%23BufferSource&data=02%7C01%7Cvijaybh%40microsoft.com%7C379d26bc14434305cae908d480f4c28f%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C636275236106509268&sdata=ZlC7njihZydPudw90kJYH%2BYoVehAvZGvXJOFBZ4rBHo%3D&reserved=0>
>> attestationChallenge
>> <https://na01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fw3c.github.io%2Fwebauthn%2F%23dom-webauthentication-makecredential-accountinformation-cryptoparameters-attestationchallenge-options-attestationchallenge&data=02%7C01%7Cvijaybh%40microsoft.com%7C379d26bc14434305cae908d480f4c28f%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C636275236106519274&sdata=kNZLSo35jIZb%2F7j1kV9q%2F7HDiQZ9ex3%2BCPFxrZgXmos%3D&reserved=0>
>> ,
>> optional ScopedCredentialOptions
>> <https://na01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fw3c.github.io%2Fwebauthn%2F%23dictdef-scopedcredentialoptions&data=02%7C01%7Cvijaybh%40microsoft.com%7C379d26bc14434305cae908d480f4c28f%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C636275236106519274&sdata=lAfe3BvYcexlo1EX%2BNf%2BB82esY7Zy%2BsG693CQ%2FelptA%3D&reserved=0>
>> options
>>
>> <https://na01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fw3c.github.io%2Fwebauthn%2F%23dom-webauthentication-makecredential-accountinformation-cryptoparameters-attestationchallenge-options-options&data=02%7C01%7Cvijaybh%40microsoft.com%7C379d26bc14434305cae908d480f4c28f%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C636275236106519274&sdata=0TTwOGTdFFbVIf6TBTu93St%2B37%2Bgd2f5rIrnxxetXYA%3D&reserved=0>
>> );
>>
>>
>> Promise<AssertionResponse> getAssertion(
>> BufferSource
>> <https://na01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fheycam.github.io%2Fwebidl%2F%23BufferSource&data=02%7C01%7Cvijaybh%40microsoft.com%7C379d26bc14434305cae908d480f4c28f%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C636275236106519274&sdata=7f4EYW%2B9kmRp2lSKbtdW4kvBPzVVGtwUTCUkNQyNl9Y%3D&reserved=0>
>> assertionChallenge
>> <https://na01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fw3c.github.io%2Fwebauthn%2F%23dom-webauthentication-getassertion-assertionchallenge-options-assertionchallenge&data=02%7C01%7Cvijaybh%40microsoft.com%7C379d26bc14434305cae908d480f4c28f%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C636275236106519274&sdata=fZkCtSypsIDmiPWNYwYuEF5c%2BdNHox%2F7ET3itnmKW3I%3D&reserved=0>
>> ,
>> optional AssertionOptions
>> <https://na01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fw3c.github.io%2Fwebauthn%2F%23dictdef-assertionoptions&data=02%7C01%7Cvijaybh%40microsoft.com%7C379d26bc14434305cae908d480f4c28f%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C636275236106519274&sdata=remf%2FtMOsy95mC9In0Ft8PULWRtug0e1rjY8XEGKn5Q%3D&reserved=0>
>> options
>>
>> <https://na01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fw3c.github.io%2Fwebauthn%2F%23dom-webauthentication-getassertion-assertionchallenge-options-options&data=02%7C01%7Cvijaybh%40microsoft.com%7C379d26bc14434305cae908d480f4c28f%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C636275236106519274&sdata=DykRvxnfLzC1g%2F4dNKR1HM4NRVSYPDbi5ObONT%2FHsoA%3D&reserved=0>
>> );
>> };
>>
>>
>>
>> // continue here as in existing Webauthn API
>> // (note that the naming here treats the key pair as *the credential*,
>> and the thing
>> // that is sent over the wire is something else - an authenticator
>> response, etc.)
>>
>>
>> --------------------------------------------------------
>>
>> // Example: generating and registering a new key follows
>>
>>
>>
>> var webauthnAPI = navigator.credentials.publicKey;
>>
>> if (!webauthnAPI) { /* Platform not capable. Handle error. */ }
>>
>> var userAccountInformation = {
>> rpDisplayName: "Acme",
>> displayName: "John P. Smith",
>> name: "johnpsmith@example.com",
>> id: "1098237235409872",
>> imageURL: "https://pics.acme.com/00/p/aBjjjpqPb.png
>> <https://na01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fpics.acme.com%2F00%2Fp%2FaBjjjpqPb.png&data=02%7C01%7Cvijaybh%40microsoft.com%7C379d26bc14434305cae908d480f4c28f%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C636275236106519274&sdata=g0WFfw7QgqaUfC0aNzVO1q2AKq8uUSMEkbtYA36akOc%3D&reserved=0>
>> "
>> };
>>
>> // This Relying Party will accept either an ES256 or RS256 credential, but
>> // prefers an ES256 credential.
>> var cryptoParams = [
>> {
>> type: "publicKey",
>> algorithm: "ES256"
>> },
>> {
>> type: "publicKey",
>> algorithm: "RS256"
>> }
>> ];
>>
>> var challenge = new TextEncoder().encode("climb a mountain");
>> var options = { timeout: 60000, // 1 minute
>> excludeList: [], // No excludeList
>> extensions: {"webauthn.location": true} // Include
>> location
>> // information
>>
>> // in attestation
>> };
>>
>> // Note: The following call will cause the authenticator to display UI.
>> webauthnAPI.makeCredential(userAccountInformation, cryptoParams,
>> challenge, options)
>> .then(function (makeCredentialResponse) {
>> // Send make credential response to server for verification and
>> registration.
>> }).catch(function (err) {
>> // No acceptable authenticator or user refused consent. Handle
>> appropriately.
>> });
>>
>>
>>
>>
>> --------------------------------------------------------
>>
>>
>>
>> // Example: authentication without hints
>>
>>
>>
>> var webauthnAPI = navigator.credentials.publicKey;
>>
>> if (!webauthnAPI) { /* Platform not capable. Handle error. */ }
>>
>> challenge: new TextEncoder().encode("climb a mountain"),
>> var options = {
>> timeout: 60000, // 1 minute
>> allowList: [{ type: "publicKey" }]
>> };
>>
>> webauthnAPI.getAssertion(challenge, options).then(function (
>> assertionResponse) {
>> // Send assertion response to server for verification
>> }).catch(function (err) {
>> // No acceptable credential or user refused consent. Handle
>> appropriately.
>> });
>>
>>
>>
>> --------------------------------------------------------
>>
>>
>>
>> // Example: authentication with hints
>>
>>
>>
>> var webauthnAPI = navigator.credentials.publicKey;
>>
>> if (!webauthnAPI) { /* Platform not capable. Handle error. */ }
>>
>>
>>
>> var challenge = new TextEncoder().encode("climb a mountain");
>> var acceptableCredential1 = {
>> type: "publicKey",
>> id: encoder.encode("!!!!!!!hi there!!!!!!!\n")
>> };
>> var acceptableCredential2 = {
>> type: "publicKey",
>> id: encoder.encode("roses are red, violets are blue\n")
>> };
>>
>> var options = {
>> timeout: 60000, // 1 minute
>> allowList: [acceptableCredential1, acceptableCredential2];
>> extensions: { 'webauthn.txauth.simple':
>> "Wave your hands in the air like you just don’t care"
>> };
>> };
>>
>> webauthnAPI.getAssertion(challenge, options)
>> .then(function (assertion) {
>> // Send assertion response to server for verification
>> }).catch(function (err) {
>> // No acceptable credential or user refused consent. Handle
>> appropriately.
>> });
>>
>> --------------------------------------------------------
>> Advantages of this Proposal
>>
>> - Fewer changes to CredMan & WebAuthn specs
>> - No need to have a no-op store() operation for PublicKeyCredentials
>> - No need to reconcile the two notions of user mediation.
>> Credentials.bearer uses the requireUserMediation
>> <https://na01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.w3.org%2FTR%2Fcredential-management-1%2F%23dom-credentialscontainer-requireusermediation&data=02%7C01%7Cvijaybh%40microsoft.com%7C379d26bc14434305cae908d480f4c28f%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C636275236106519274&sdata=Uab8N57ABA9MCcWsGs7onTInt7GZnepG40fimhR%2BSFU%3D&reserved=0>
>> operation, whereas credentials.publicKey uses a parameter in the
>> ScopedCredentialOptions
>> - The only thing a reader of the webauthn spec has to understand
>> about the CredMan spec is the (very simple) Credential interface.
>> - New methods like cancel() and promoteAuthenticatorIfAvailable() can
>> easily be added to credentials.publicKey without having to worry how they
>> interact with other credential types.
>>
>>
>>
>>
>>
>>
>> Thanks!
>>
>> -Alexei
>>
>>
>>
>> *____**____**____**____*
>>
>> . Alexei Czeskis .:. Securineer .:. 317.698.4740 <(317)%20698-4740> .
>>
>>
>>
>> On Mon, Apr 10, 2017 at 7:14 PM, Anthony Nadalin <tonynad@microsoft.com>
>> wrote:
>>
>> Too nice need to raise a formal objection not whimpers as I can't read
>> between the lines
>>
>> -----Original Message-----
>> From: Hodges, Jeff [mailto:jeff.hodges@paypal.com]
>> Sent: Monday, April 10, 2017 4:18 PM
>> To: public-webauthn@w3.org
>> Subject: Re: PR #384 CredMan Integration
>>
>> On 4/10/17, 2:29 PM, "Anthony Nadalin" <tonynad@microsoft.com> wrote:
>>
>> > So based upon the discussions that have been going on there seems to
>> > be some issues raised on what happens when we merge. I have not heard
>> > and real outright objections to the merge,
>>
>> Dirk made such an outright objection -- but perhaps he said it too nicely
>> [0]:
>>
>> ..I'm arguing against accepting https://na01.safelinks.protect
>> ion.outlook.com/?url=https%3A%2F%2Fgithub.com%2Fw3c%
>> 2Fwebauthn%2Fpull%2F384&data=02%7C01%7Ctonynad%40microsoft.
>> com%7C8fa40e78c673482b7eed08d480681726%7C72f988bf86f141af91a
>> b2d7cd011db47%7C1%7C0%7C636274633275960038&sdata=mV1%
>> 2FBr337%2B%2BsXPfyFXpid3LgBi6VFtKiig1YUcJe2IQ%3D&reserved=0 as
>>
>> is, because I believe it will create a lot of future work for us that
>> will
>> slow us down.
>>
>> > so in favor of progress I suggest we accept #384 and deal with the
>> > questions as they comes up with Mike West, as we see to be just going
>> > around and around w/o making a decision.
>>
>> A more productive approach may be to consider our options in light of the
>> desire to have an implementable and nominally usable draft webauthn level 1
>> API in the near term.
>>
>> To me the decision context appears to be:
>>
>> What's more important,
>>
>> (1) near-term implementable & adoptable/deployable webauthn draft
>> with or
>> without credman incorporation, or,
>>
>> (2) adding credman dependency now (because it seems we will do it at
>> some
>> point regardless), i.e., merge PR#384 as-is, and hope the
>> resultant
>> fixing/polishing does not take "too long" ?
>>
>> Tony is suggesting (2).
>>
>> in [0] Dirk is arguing that (2) will result in taking "too long", and
>> implies we should do option B plus some renaming.
>>
>> Though, an option (3) is that we could think things through more
>> thoroughly, convince ourselves option C (below) is the correct thing to do
>> in light of the other below options, and if it is, revise the PR#384
>> appropriately, then merge. One could argue this will take less time that
>> just merging #384 as-is.
>>
>> @mikewest replied to Dirk's points in detail in [3], so we've embarked on
>> option (3) if we hold off on merging. This is what I'd vote for.
>>
>> HTH,
>>
>> =JeffH
>>
>>
>> details:
>>
>> Again, the webauthn||credman options [1][2] are:
>>
>> A. Just Rename (slides 8, 9)
>> (as noted in the F2F minutes, this is to just "'rename' scopedCredential"
>> such that webauthn (WA) does not use the term 'cedential' in its API)
>>
>> B. Join credman class hierarchy, keep webauthn methods (slides 10..14)
>>
>> C. Join credman (CM) class hierarchy, use CM methods (slides 15..18)
>>
>> Plus, there is also the status-quo:
>>
>> D. Leave credman and webauthn entirely separate for their "level 1" (ie
>> initial version) incarnations (leaves door open to address some sort of
>> merger in level 2 incarnations).
>>
>> [0] https://na01.safelinks.protection.outlook.com/?url=https%3A%
>> 2F%2Flists.w3.org%2FArchives%2FPublic%2Fpublic-webauthn%
>> 2F2017Apr%2F0138.html&data=02%7C01%7Ctonynad%40microsoft.
>> com%7C8fa40e78c673482b7eed08d480681726%7C72f988bf86f141af91a
>> b2d7cd011db47%7C1%7C0%7C636274633275970046&sdata=PjQcFrH6YKX
>> 2D4Uc0mYDJw8THRmIaQ%2FaCepnx1InDWo%3D&reserved=0
>>
>> [1] WebAuthn vs Credential Management (@balfanz) <
>> https://na01.safelinks.protection.outlook.com/?url=https%
>> 3A%2F%2Fdocs.google.com%2Fpresentation%2Fd%2F1RyfQS3f-Dk7xU8
>> S6pCSBzWl3jGGGrkF1zWkUypVUnik&data=02%7C01%7Ctonynad%40micro
>> soft.com%7C8fa40e78c673482b7eed08d480681726%7C72f988bf86f141
>> af91ab2d7cd011db47%7C1%7C1%7C636274633275970046&sdata=NCCw7z
>> goj6p8R20qbFn%2FP9I8uSwzr3zVSVBs1rFiqtI%3D&reserved=0>
>>
>> [2] https://na01.safelinks.protection.outlook.com/?url=https%3A%
>> 2F%2Fgithub.com%2Fw3c%2Fwebauthn%2Fpull%2F384%23issu
>> ecomment-292734633&data=02%7C01%7Ctonynad%40microsoft.com
>> %7C8fa40e78c673482b7eed08d480681726%7C72f988bf86f141af91ab2d
>> 7cd011db47%7C1%7C0%7C636274633275970046&sdata=33LM5ULKf4s5%2
>> BTwRdf6Iq0DWENH5YU6cy%2F5oxiI4i7g%3D&reserved=0
>>
>> [3] https://na01.safelinks.protection.outlook.com/?url=https%3A%
>> 2F%2Flists.w3.org%2FArchives%2FPublic%2Fpublic-webauthn%
>> 2F2017Apr%2F0147.html&data=02%7C01%7Ctonynad%40microsoft.
>> com%7C8fa40e78c673482b7eed08d480681726%7C72f988bf86f141af91a
>> b2d7cd011db47%7C1%7C0%7C636274633275970046&sdata=9Qi%
>> 2FOXTyPnDfj3wHbbvoO%2BhGf1kgyFUFEIEyvvOlQJQ%3D&reserved=0
>>
>>
>>
>>
>
>
Received on Tuesday, 11 April 2017 19:41:32 UTC