- From: Richard Barnes <rbarnes@mozilla.com>
- Date: Wed, 30 Mar 2016 10:28:28 -0400
- To: Axel Nennker <Axel.Nennker@telekom.de>
- Cc: W3C WebAuthn WG <public-webauthn@w3.org>
- Message-ID: <CAOAcki9omZgCTeviJsZrR-bwUrKXSF47sFcG30uSoqPhbLBosg@mail.gmail.com>
On Wed, Mar 30, 2016 at 10:27 AM, <Axel.Nennker@telekom.de> wrote: > And then name the folded method “get” and place it into > navigator.credentials ? > I'm flexible on naming. Using signAssertion might be more descriptive. I admit that it does take us farther from Credential API. > If there is no key already then is the method returning the results of > both methods? That is: is the newly generated key immediately used to sign > a challenge? > That's what I was thinking, yes. > > > *From:* Richard Barnes [mailto:rbarnes@mozilla.com] > *Sent:* Mittwoch, 30. März 2016 15:24 > *To:* W3C WebAuthn WG > *Subject:* Three possibilities for discussion > > > > Hey all, > > > > I was hacking on a U2F stack over the weekend, and a couple of possible > simplifications to WebAuthn occurred to me: > > > > 1. Fold makeCredential into signAssertionn > > > > It seems like there's a pretty high degree of overlap between the > makeCredential and signAssertion methods. They have the following things > in common: > > > > - A challenge (attestationChallenge / assertionChallenge) > > - A timeout (credentialTimeoutSeconds / assertionTimeoutSeconds) > > - A list of keys the JS already has (blacklist / whitelist) > > - A list of extensions (credentialExtensions / assertionExtensions) > > > > Can we fold the semantics of makeCredential into a slightly expanded > signAssertion? > > > > OLD: Sign with one of the keys on the whitelist > > NEW: Sign with one of the keys on the whitelist or generate one if you > can't find a whitelisted one > > > > This would require some additional optional stuff, e.g., to pass in the > accountInformation / cryptoParameters and return the key that was generated > in that case. > > > > Basically, ISTM that people are rarely going to just call makeCredential, > without calling signAssertion immediately after, so there's not a whole lot > of reason for all the duplication. > > > > > > 2. Make Account optional > > > > Right now, you always have to provide an Account dictionary in > makeCredential. This dictionary is just a bunch of metadata that won't > apply in a bunch of cases, so we shouldn't make people put {} in there all > the time. > > > > > > 3. Move optional parameters and extensions into an "options" dictionary > > > > The "extensions" pattern in the WebAuthn methods seems uncharacteristic > for a Web API. It's more common to package all of the optional arguments > (plus any possible future ones) into an "options" dictionary. See, for > example: > > > > https://w3c.github.io/webrtc-pc/#interface-definition > > https://dev.w3.org/geo/api/spec-source.html#api_description > > > > We should take all the optional stuff in these methods (timeout, > whitelist/blacklist) and put them in an optional options dictionary which > is the last argument to the method. > > > > And as your reward for reading this far: > > http://memedad.com/memes/846718.jpg > > > > > > Thanks, > > --Richard >
Received on Wednesday, 30 March 2016 14:28:57 UTC