W3C home > Mailing lists > Public > public-webauthn@w3.org > July 2016

Re: Is the getAssertion whitelist necessary?

From: Hodges, Jeff <jeff.hodges@paypal.com>
Date: Tue, 26 Jul 2016 18:27:34 +0000
To: Vijay Bharadwaj <vijaybh@microsoft.com>
CC: W3C WebAuthn WG <public-webauthn@w3.org>
Message-ID: <D3BCF5CE.CD708%jehodges@paypalcorp.com>
On 7/25/16, 1:07 PM, "Vijay Bharadwaj" <vijaybh@microsoft.com> wrote:


>For ease of review, Iıve attached HTML renderings of the two experimental
>versions based on the current state of master. Iıd like to go over these
>approaches (and any others
> suggested) on Wednesdayıs call, but feel free to also send email
>comments earlier.
>
>
>

thanks for sending these.  I was hoping to review them prior to tomorrow's
call, but it's getting late here in UTC+2 and I might not be able to.  In
case I'm unable, please note that I do intend to review them (hopefully by
thed call next week, am on the road).

Also, I did a texttual diff of the two files you sent -- it is attached to
this message: 

   Diff-Vijay-WebAuthn--index-noCred--from--index-objectCred.pdf

HTH,

=JeffH


>
> 
>From: Vijay Bharadwaj [mailto:vijaybh@microsoft.com]
>
>Sent: Thursday, July 21, 2016 12:58 AM
>To: J.C. Jones <jc@mozilla.com>; Jeff Hodges <jeff.hodges@paypal.com>
>Cc: W3C WebAuthn WG <public-webauthn@w3.org>
>Subject: RE: Is the getAssertion whitelist necessary?
>
>
> 
>Branch vgb-experiment-credObject is now on Github, showing an alternative
>approach. Please provide feedback so we can pick an approach and move
>forward. Also, if you believe
> in a third approach, please provide feedback and describe your
>alternative.
> 
>Thanks!
> 
>From: Vijay Bharadwaj
>
>Sent: Monday, July 18, 2016 3:51 PM
>To: Vijay Bharadwaj <vijaybh@microsoft.com>; J.C. Jones <jc@mozilla.com>;
>Jeff Hodges <jeff.hodges@paypal.com>
>Cc: W3C WebAuthn WG <public-webauthn@w3.org>
>Subject: RE: Is the getAssertion whitelist necessary?
>
>
> 
>Branch vgb-experiment-noCredType is now on Github. Note this is an
>experiment, so itıs not aiming to be editorially perfect. Please take a
>look and let me know what you think.
> 
>FWIW having stared at this a bit I prefer future possibility #1 over #2
>because #2 depends on extensions which are optional. So you may end up in
>a situation where an RP requests
> versions 2 and 3 but gets version 1 because the extension was ignored by
>everyone involved.
> 
>From: Vijay Bharadwaj [mailto:vijaybh@microsoft.com]
>
>Sent: Sunday, July 17, 2016 5:52 PM
>To: J.C. Jones <jc@mozilla.com>; Jeff Hodges <jeff.hodges@paypal.com>
>Cc: W3C WebAuthn WG <public-webauthn@w3.org>
>Subject: RE: Is the getAssertion whitelist necessary?
>
>
> 
>Ĝ 
>Instead of just constructing a dictionary, we'd need a constructor of
>some fashion.
> 
>So when would the authenticator flash its little LED and ask the user to
>touch it? When the constructor is called or when getAssertion is called?
>I assume the latter ­ so the
> constructor would just be a factory for dummy objects that can be used
>to call getAssertion?
> 
>Iım thinking maybe we should do quick prototypes to try this out. For my
>part, I have a private branch vgb-experiment-noCred in which Iım trying
>out what the removal of the
> Credential object would look like. (Iıll publish this by tomorrow so you
>can take a look.) I can take a crack at this object approach right after,
>or you can try it out similarly and we can compare. Does that work?
> 
>From: J.C. Jones [mailto:jc@mozilla.com]
>
>Sent: Sunday, July 17, 2016 5:45 AM
>To: Vijay Bharadwaj <vijaybh@microsoft.com>; Jeff Hodges
><jeff.hodges@paypal.com>
>Cc: W3C WebAuthn WG <public-webauthn@w3.org>
>Subject: Re: Is the getAssertion whitelist necessary?
> 
>Replying to both Vijay and Jeff:
>
>On Fri, Jul 15, 2016 at 11:58 PM, Vijay Bharadwaj <vijaybh@microsoft.com>
>wrote:
>
>How would you create the Credential object?
>
>
>
>
> 
>
>Instead of just constructing a dictionary, we'd need a constructor of
>some fashion.
>
>
>On Sat, Jul 16, 2016 at 3:01 AM, Hodges, Jeff <jeff.hodges@paypal.com>
>wrote:
>
>On 7/15/16, 5:52 PM, "J.C. Jones" <jc@mozilla.com> wrote:
>>So my question is: why does getAssertion() need a whitelist? Could we add
>>the getAssertion() method to the Credential, and make it an object?
>
>this actually was an earlier design predating the submitted specs
><https://www.w3.org/Submission/2015/02/>
>
>IIRC, moving to the whitelist approach with getAssertion() more naturally
>accommodated use cases involving external/roaming/portable authenticators
>(authnrs). perhaps we need to elucidate the design rationale...
>
>
> 
>
>Interesting; this must be some timing issue? Naively, it seems like it
>would work the same, as you can build the current behavior out of the
>'atomic' one.
>
>It might be worth documenting, at least before the wider public asks the
>same questions.
>
> 
>
>Cheers,
>
>J.C.
>
>
>



Received on Tuesday, 26 July 2016 18:28:17 UTC

This archive was generated by hypermail 2.4.0 : Friday, 17 January 2020 18:58:23 UTC