RE: Is the getAssertion whitelist necessary? from Vijay Bharadwaj on 2016-07-21 (public-webauthn@w3.org from July 2016)

From: Vijay Bharadwaj <vijaybh@microsoft.com>
Date: Thu, 21 Jul 2016 07:58:15 +0000
To: "J.C. Jones" <jc@mozilla.com>, Jeff Hodges <jeff.hodges@paypal.com>
CC: W3C WebAuthn WG <public-webauthn@w3.org>
Message-ID: <0e7457c799a84074b63df8c319442d46@microsoft.com>

Branch vgb-experiment-credObject is now on Github, showing an alternative approach. Please provide feedback so we can pick an approach and move forward. Also, if you believe in a third approach, please provide feedback and describe your alternative.

Thanks!

From: Vijay Bharadwaj
Sent: Monday, July 18, 2016 3:51 PM
To: Vijay Bharadwaj <vijaybh@microsoft.com>; J.C. Jones <jc@mozilla.com>; Jeff Hodges <jeff.hodges@paypal.com>
Cc: W3C WebAuthn WG <public-webauthn@w3.org>
Subject: RE: Is the getAssertion whitelist necessary?

Branch vgb-experiment-noCredType is now on Github. Note this is an experiment, so it’s not aiming to be editorially perfect. Please take a look and let me know what you think.

FWIW having stared at this a bit I prefer future possibility #1 over #2 because #2 depends on extensions which are optional. So you may end up in a situation where an RP requests versions 2 and 3 but gets version 1 because the extension was ignored by everyone involved.

From: Vijay Bharadwaj [mailto:vijaybh@microsoft.com]
Sent: Sunday, July 17, 2016 5:52 PM
To: J.C. Jones <jc@mozilla.com<mailto:jc@mozilla.com>>; Jeff Hodges <jeff.hodges@paypal.com<mailto:jeff.hodges@paypal.com>>
Cc: W3C WebAuthn WG <public-webauthn@w3.org<mailto:public-webauthn@w3.org>>
Subject: RE: Is the getAssertion whitelist necessary?

Ø  Instead of just constructing a dictionary, we'd need a constructor of some fashion.

So when would the authenticator flash its little LED and ask the user to touch it? When the constructor is called or when getAssertion is called? I assume the latter – so the constructor would just be a factory for dummy objects that can be used to call getAssertion?

I’m thinking maybe we should do quick prototypes to try this out. For my part, I have a private branch vgb-experiment-noCred in which I’m trying out what the removal of the Credential object would look like. (I’ll publish this by tomorrow so you can take a look.) I can take a crack at this object approach right after, or you can try it out similarly and we can compare. Does that work?

From: J.C. Jones [mailto:jc@mozilla.com]
Sent: Sunday, July 17, 2016 5:45 AM
To: Vijay Bharadwaj <vijaybh@microsoft.com<mailto:vijaybh@microsoft.com>>; Jeff Hodges <jeff.hodges@paypal.com<mailto:jeff.hodges@paypal.com>>
Cc: W3C WebAuthn WG <public-webauthn@w3.org<mailto:public-webauthn@w3.org>>
Subject: Re: Is the getAssertion whitelist necessary?

Replying to both Vijay and Jeff:
On Fri, Jul 15, 2016 at 11:58 PM, Vijay Bharadwaj <vijaybh@microsoft.com<mailto:vijaybh@microsoft.com>> wrote:
How would you create the Credential object?

Instead of just constructing a dictionary, we'd need a constructor of some fashion.

On Sat, Jul 16, 2016 at 3:01 AM, Hodges, Jeff <jeff.hodges@paypal.com<mailto:jeff.hodges@paypal.com>> wrote:
On 7/15/16, 5:52 PM, "J.C. Jones" <jc@mozilla.com<mailto:jc@mozilla.com>> wrote:
>So my question is: why does getAssertion() need a whitelist? Could we add
>the getAssertion() method to the Credential, and make it an object?

this actually was an earlier design predating the submitted specs
<https://www.w3.org/Submission/2015/02/>

IIRC, moving to the whitelist approach with getAssertion() more naturally
accommodated use cases involving external/roaming/portable authenticators
(authnrs). perhaps we need to elucidate the design rationale...

Interesting; this must be some timing issue? Naively, it seems like it would work the same, as you can build the current behavior out of the 'atomic' one.
It might be worth documenting, at least before the wider public asks the same questions.

Cheers,
J.C.

Received on Thursday, 21 July 2016 07:59:36 UTC