Re: [w3ctag/design-reviews] Web Authentication: Large Blob extension (Issue #820) from Nina Satragno on 2023-08-01 (public-webapps-github@w3.org from August 2023)

From: Nina Satragno <notifications@github.com>
Date: Tue, 01 Aug 2023 08:44:56 -0700
To: w3ctag/design-reviews <design-reviews@noreply.github.com>
Cc: Subscribed <subscribed@noreply.github.com>
Message-ID: <w3ctag/design-reviews/issues/820/1660587023@github.com>

This slipped through my emails, sorry!

> The explainer talks about a 'small amount of data', why is this called 'largeBlob'?
> Why is it called a blob if it's reading and writing array buffers? The property name should be relevant to the data type, either make the API accept a Blob or use a name that doesn't imply Blobs.

The name comes from [CTAP](https://fidoalliance.org/specs/fido-v2.1-rd-20201208/fido-client-to-authenticator-protocol-v2.1-rd-20201208.html#authenticatorLargeBlobs). 1kb is "large" with respect to the available memory on security keys, and with respect to the older [credBlob](https://fidoalliance.org/specs/fido-v2.1-rd-20201208/fido-client-to-authenticator-protocol-v2.1-rd-20201208.html#sctn-credBlob-extension) extension that supports 32 bytes. Array buffers are used to write and read binary data all through the webauthn spec.

> What's the size limit of the data?

This depends on the authenticator, the specification does not state a maximum size.

> If there any way for the RP to know what's available?

A relying party can set `largeBlob`'s `support` to `required` (or `preferred`) to discover availability when creating a credential, but cannot query the available space on the authenticator.

> Is there expected to be a mechanism for the user to clear this data? (Independent of clearing the entire auth for the RP) Either via UA UI or a future API call?

User agent management of authenticators is not specified by webauthn or CTAP, but the authenticator API endpoints to [manage credentials](https://fidoalliance.org/specs/fido-v2.1-rd-20201208/fido-client-to-authenticator-protocol-v2.1-rd-20201208.html#authenticatorCredentialManagement) (and large blobs) are. On some platforms, Chrome has the ability to delete credentials with an associated large blob which will clear the blob as well. Some authenticator vendors provide their own management software.

RPs can clear a large blob without deleting the credential by writing an empty blob.

> Also, do you have an update on the implementation status, and any multi-stakeholder support?

It's shipped on [Chrome 113](https://chromestatus.com/feature/5657899357437952) and [Safari 17](https://www.webkit.org/blog/14205/news-from-wwdc23-webkit-features-in-safari-17-beta/). The compression algorithm turned to be a subtle [source of incompatibility](https://bugs.chromium.org/p/chromium/issues/detail?id=1312802), so if we could redesign the API we would probably change that.

At this time, the only improvement we are working on is support over the [hybrid](https://fidoalliance.org/specs/fido-v2.2-rd-20230321/fido-client-to-authenticator-protocol-v2.2-rd-20230321.html#sctn-hybrid) protocol. This will let websites create & retrieve large blobs for authenticators such as phones. This has no effect on the web API surface, but required a few changes on CTAP (not published yet, sorry).

-- 
Reply to this email directly or view it on GitHub:
https://github.com/w3ctag/design-reviews/issues/820#issuecomment-1660587023
You are receiving this because you are subscribed to this thread.

Message ID: <w3ctag/design-reviews/issues/820/1660587023@github.com>

Received on Tuesday, 1 August 2023 15:45:01 UTC