Re: [webauthn] Section 4.1.4 Use Existing Credential "get" from Rolf Lindemann via GitHub on 2017-06-16 (public-webauthn@w3.org from June 2017)

From: Rolf Lindemann via GitHub <sysbot+gh@w3.org>
Date: Fri, 16 Jun 2017 08:50:19 +0000
To: public-webauthn@w3.org
Message-ID: <issue_comment.created-308970927-1497603017-sysbot+gh@w3.org>

Note that step 16 already does that, i.e. For each authenticator currently available on this platform, perform the following steps:.
As a consequence allowCredentialDescriptorList only contains the credentials bound to that specific authenticator (see step 16.2).

Additionally, I think the algorithm must distinguish 2 cases:
a) options.allowCredentialDescriptorList is non-empty
b) options.allowCredentialDescriptorList is empty

In case a) we might want to filter the number of authenticators connected to the platform (e.g. as used in step 16) to the ones related to one (or more) credentials in options.allowCredentialDescriptorList.

In case b) we should ask all connected authenticators whether they have a credential for the request RP.

One more issue: I think the transports are specific to the authenticator - not to the credential. This means even if the platform has used BLE connection to talk to the authenticator while make(ing it), if the the platform known the authenticator is connected via USB at time of calling get, USB connection is the right transport here (for get).

--> Idea of an algo
replace current step 16 by
16a. if options.allowCredentialDescriptorList is empty then
in parallel for each authenticator currently available on this platform, perform the following step:
1. using local configuration knowledge of the appropriate transport to use with authenticator, invoke
the authenticatorGetAssertion operation on authenticator with rpId, clientDataHash,
empty allowCredentialDescriptorList, and clientExtensions as parameters.
16b. if options.allowCredentialDescriptorList is NOT empty then
in parallel for each authenticator currently available on this platform, perform the following step:
1. execute a platform-specific procedure to determine which, if any, public key credentials described by options.allowCredentials are bound to this authenticator, by matching with rpId, options.allowCredentials.id, and options.allowCredentials.type. Set allowCredentialDescriptorList to this filtered list.
2. Determine the appropriate transport for talking to the authenticator by examining local platform knowledge and the transport field for each of the credentials in allowCredentialDescriptorList.
3. Then, using transport, invoke the authenticatorGetAssertion operation on authenticator, with rpId, clientDataHash, allowCredentialDescriptorList, and authenticatorExtensions as parameters.

--
GitHub Notification of comment by rlin1
Please view or discuss this issue at https://github.com/w3c/webauthn/issues/480#issuecomment-308970927 using your GitHub account

Received on Friday, 16 June 2017 08:50:25 UTC