RE: Is the getAssertion whitelist necessary? from Vijay Bharadwaj on 2016-07-18 (public-webauthn@w3.org from July 2016)

From: Vijay Bharadwaj <vijaybh@microsoft.com>
Date: Mon, 18 Jul 2016 00:51:39 +0000
To: "J.C. Jones" <jc@mozilla.com>, Jeff Hodges <jeff.hodges@paypal.com>
CC: W3C WebAuthn WG <public-webauthn@w3.org>
Message-ID: <e56261372f2a488bb2f713ca9b243c1a@microsoft.com>

Ø  Instead of just constructing a dictionary, we'd need a constructor of some fashion.

So when would the authenticator flash its little LED and ask the user to touch it? When the constructor is called or when getAssertion is called? I assume the latter – so the constructor would just be a factory for dummy objects that can be used to call getAssertion?

I’m thinking maybe we should do quick prototypes to try this out. For my part, I have a private branch vgb-experiment-noCred in which I’m trying out what the removal of the Credential object would look like. (I’ll publish this by tomorrow so you can take a look.) I can take a crack at this object approach right after, or you can try it out similarly and we can compare. Does that work?

From: J.C. Jones [mailto:jc@mozilla.com]
Sent: Sunday, July 17, 2016 5:45 AM
To: Vijay Bharadwaj <vijaybh@microsoft.com>; Jeff Hodges <jeff.hodges@paypal.com>
Cc: W3C WebAuthn WG <public-webauthn@w3.org>
Subject: Re: Is the getAssertion whitelist necessary?

Replying to both Vijay and Jeff:
On Fri, Jul 15, 2016 at 11:58 PM, Vijay Bharadwaj <vijaybh@microsoft.com<mailto:vijaybh@microsoft.com>> wrote:
How would you create the Credential object?

Instead of just constructing a dictionary, we'd need a constructor of some fashion.

On Sat, Jul 16, 2016 at 3:01 AM, Hodges, Jeff <jeff.hodges@paypal.com<mailto:jeff.hodges@paypal.com>> wrote:
On 7/15/16, 5:52 PM, "J.C. Jones" <jc@mozilla.com<mailto:jc@mozilla.com>> wrote:
>So my question is: why does getAssertion() need a whitelist? Could we add
>the getAssertion() method to the Credential, and make it an object?

this actually was an earlier design predating the submitted specs
<https://www.w3.org/Submission/2015/02/>

IIRC, moving to the whitelist approach with getAssertion() more naturally
accommodated use cases involving external/roaming/portable authenticators
(authnrs). perhaps we need to elucidate the design rationale...

Interesting; this must be some timing issue? Naively, it seems like it would work the same, as you can build the current behavior out of the 'atomic' one.
It might be worth documenting, at least before the wider public asks the same questions.

Cheers,
J.C.

Received on Monday, 18 July 2016 00:52:20 UTC