- From: J.C. Jones <jc@mozilla.com>
- Date: Tue, 11 Apr 2017 12:29:20 -0700
- To: "public-webauthn@w3.org" <public-webauthn@w3.org>
- Cc: Vijay Bharadwaj <vijaybh@microsoft.com>, Angelo Liao <huliao@microsoft.com>, Alexei Czeskis <aczeskis@google.com>, Anthony Nadalin <tonynad@microsoft.com>, Mike West <mkwst@google.com>, "Hodges, Jeff" <jeff.hodges@paypal.com>
- Message-ID: <CAObDDPD_YE32u6=cgN996qNafpqqNdiiscHanE3erwR6qGVEwA@mail.gmail.com>
Yes, I, too, would like to see a PR for this alignment. I like it, too!
We've been holding off on further implementation in Firefox waiting for PR
#384 to merge; Everyone I've involved over here in Mozilla agrees that
CredMan and WebAuthn lining up like this would be a good thing. To use
Vijay's want list, I'm not hung up on aligning method names (Vijay's #3),
but I strongly believe we should get the rest of the alignment before
moving to an implementation draft.
J.C.
On Tue, Apr 11, 2017 at 11:53 AM, Angelo Liao <huliao@microsoft.com> wrote:
> Alexei, can you please create a PR based on the proposal below? This way
> we can move the conversation along much sooner. If you are busy, I can help
> create the PR. In the interest of expediency, let’s not worry too much
> about the editorials in the PR.
>
>
>
> *From:* Vijay Bharadwaj [mailto:vijaybh@microsoft.com]
> *Sent:* Tuesday, April 11, 2017 9:28 AM
> *To:* Alexei Czeskis <aczeskis@google.com>; Anthony Nadalin <
> tonynad@microsoft.com>; Mike West <mkwst@google.com>
> *Cc:* Hodges, Jeff <jeff.hodges@paypal.com>; public-webauthn@w3.org
> *Subject:* RE: PR #384 CredMan Integration
>
>
>
> I would love to make the world a better place better.
>
>
>
> In my mind, the merge has 3 parts:
>
> 1. Align namespaces between WebAuthn and Credential Management
> 2. Align the API calling patterns (dictionaries instead of explicitly
> enumerated arguments)
> 3. Align the method names (get, create, store)
>
>
>
> Of these I think #1 and #2 are the must-haves, and #3 is something that I
> personally would not be upset to postpone to a v2. This allows us to focus
> on syntactic questions for now and avoid the more contentious questions
> around method naming which often become about semantics. From a practical
> perspective, renaming methods is also fairly easy to do later.
>
>
>
> So I like this proposal since it attempts something like the above.
>
>
>
> @Mike West <mkwst@google.com> – what is your opinion?
>
>
>
> *From:* Alexei Czeskis [mailto:aczeskis@google.com <aczeskis@google.com>]
> *Sent:* Tuesday, April 11, 2017 9:05 AM
> *To:* Anthony Nadalin <tonynad@microsoft.com>
> *Cc:* Hodges, Jeff <jeff.hodges@paypal.com>; public-webauthn@w3.org
> *Subject:* Re: PR #384 CredMan Integration
>
>
>
> Dear list,
>
>
>
> I'm all for getting the spec done fast, for getting implementations out
> fast, and for making the world a better place faster. If we want to speed
> things up, I'm not convinced that the PR as it is right now is the right
> move. I'm not simply arguing for making fast progress and accepting a
> messy API landscape in return. I'm arguing for not venturing into the
> unknown to find the perfect -- in effect passing on the known-good.
>
>
>
> I believe that in its current form, the merge will cause questions that
> will take a while to iron out. I would suggest an alternate approach: hold
> off on the merge until the proposal does not have as many unknowns. Maybe
> that means waiting until version 2. It's true that at that point we'll
> have gone down different roads with credman and merging might be harder,
> but surely worse things have happened.
>
>
>
> In my opinion, the big reason to be hesitant about this merge is that it
> takes us down the path of one single .makeAuthFactor() and one single
> .getAuthFactor() methods. Where .makeAuthFactor() can result in a
> username/password, password, oauth token, url of oauth provider, a public
> key of one kind or another. I'm not convinced that that's the right big
> picture approach. Maybe it is, maybe it isn't -- but going down that path
> opens up A LOT of questions, not just about the specs, but about UI/UX as
> well. For example, for usernames and password -- the browser manages
> identities and shows the UX for selection. For authenticators such as
> phones, the phone does. I'm not sure what the right way to show UX is
> there. Maybe it's not a problem for Edge that might just call Hello, but
> I'm not sure what cross-operating-system browsers such as FF and Chrome
> would do. Or for example, consider during the create account phase when
> acme.com
> <https://na01.safelinks.protection.outlook.com/?url=http%3A%2F%2Facme.com&data=02%7C01%7Cvijaybh%40microsoft.com%7C379d26bc14434305cae908d480f4c28f%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C636275236106499268&sdata=P9IRMUYJHJFX%2F00wuHra2nQutIA2F%2Bwg45LNrX4cyeo%3D&reserved=0>
> tells the browser that it'll accept a username/password/oauth token from
> Google or Facebook or an Authenticator -- what does the browser draw then?
> How does the user choose? We haven't figured out what it means to not
> require user mediation for webauthn, because there are lots of details.
> The relationships between user accounts and passwords is 1:1 -- but that's
> not the case for users and authenticators.
>
>
>
> I can keep going, but the point is that there are questions here -- lots
> of them. It will take a while to iron them out, to play with
> implementations, to iterate, to refactor, to make a UX that users
> understand. On the other hand, we pretty much know how to build webauthn
> in its current form. It's self-contained and doesn't depend on any
> outsides specs. If I understand the proposed merge correctly, it also
> requires that the credential management API be changed. So now, before any
> webauthn api can be put out, the credential management API must be
> refactored and only then can webauthn be developed. Also, let's not forget
> that there are websites that depend on the current credential management
> API.
>
>
>
> Perhaps my English is a bit Russian, but this emails is meant not a
> "whimper", but as a well-laid-out, technically-sound argument, worthy of
> your serious consideration. I look forward to your comments and feedback!
>
>
>
>
>
> The PR is not the only possible credman merge proposal. Here is another
> (if you don't like this one, we've got another):
>
>
> interface Credential {
> readonly attribute USVString id
> <https://na01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.w3.org%2FTR%2Fcredential-management-1%2F%23dom-credential-id&data=02%7C01%7Cvijaybh%40microsoft.com%7C379d26bc14434305cae908d480f4c28f%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C636275236106499268&sdata=9wMLtOqWvZhMatp3SFzvInHOLsMCc2%2BjDopX2iXONjs%3D&reserved=0>
> ;
> readonly attribute DOMString type
> <https://na01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.w3.org%2FTR%2Fcredential-management-1%2F%23dom-credential-type&data=02%7C01%7Cvijaybh%40microsoft.com%7C379d26bc14434305cae908d480f4c28f%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C636275236106499268&sdata=6z8VwfqpQH2WwuLyKbRZndwG3FJWUD1nFHhX%2Fi9D1k4%3D&reserved=0>
> ;
> };
>
> ----------------------------------------------------
>
> interface BearerCredential : Credential
> <https://na01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.w3.org%2FTR%2Fcredential-management-1%2F%23credential&data=02%7C01%7Cvijaybh%40microsoft.com%7C379d26bc14434305cae908d480f4c28f%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C636275236106499268&sdata=Sw%2FQdzPYLG46BCj8f4HkqhAEVMuv90Vb0ltONacaRUU%3D&reserved=0>
> {
> readonly attribute USVString name
> <https://na01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.w3.org%2FTR%2Fcredential-management-1%2F%23dom-siteboundcredential-name&data=02%7C01%7Cvijaybh%40microsoft.com%7C379d26bc14434305cae908d480f4c28f%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C636275236106499268&sdata=BGguYpusmTlh4mUn9WcVQ%2FsAUrEoXvWNMf2KRmjIx%2BQ%3D&reserved=0>
> ;
> readonly attribute USVString iconURL
> <https://na01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.w3.org%2FTR%2Fcredential-management-1%2F%23dom-siteboundcredential-iconurl&data=02%7C01%7Cvijaybh%40microsoft.com%7C379d26bc14434305cae908d480f4c28f%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C636275236106499268&sdata=lJBasRJm4CBOU6%2BcTrrS5uQ3VMcNK65%2B%2FjNqw3laTr8%3D&reserved=0>
> ;
> };
>
> interface PasswordCredential :
> <https://na01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.w3.org%2FTR%2Fcredential-management-1%2F%23siteboundcredential&data=02%7C01%7Cvijaybh%40microsoft.com%7C379d26bc14434305cae908d480f4c28f%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C636275236106499268&sdata=LdbAxpd%2FK%2FGCiFCDocc%2BcXAHV0CzCzy4g7SuBqw0hzY%3D&reserved=0>BearerCredential
> {
> attribute USVString idName
> <https://na01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.w3.org%2FTR%2Fcredential-management-1%2F%23dom-passwordcredential-idname&data=02%7C01%7Cvijaybh%40microsoft.com%7C379d26bc14434305cae908d480f4c28f%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C636275236106499268&sdata=tYYnsxcHSqHSDjMHGcL%2BnzqM5QJI3ZIOlnLQ7%2BjEM0c%3D&reserved=0>
> ;
> attribute USVString passwordName
> <https://na01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.w3.org%2FTR%2Fcredential-management-1%2F%23dom-passwordcredential-passwordname&data=02%7C01%7Cvijaybh%40microsoft.com%7C379d26bc14434305cae908d480f4c28f%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C636275236106499268&sdata=wUugFCnwxC2O2wPpwPpWjc60mBCFO9kBhfp1sv5mjgw%3D&reserved=0>
> ;
>
> attribute CredentialBodyType
> <https://na01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.w3.org%2FTR%2Fcredential-management-1%2F%23typedefdef-credentialbodytype&data=02%7C01%7Cvijaybh%40microsoft.com%7C379d26bc14434305cae908d480f4c28f%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C636275236106499268&sdata=50%2B4AN75NhbJ3Xw49pf6xlK15PwetnOgvqs7bUDeoA4%3D&reserved=0>
> ? additionalData
> <https://na01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.w3.org%2FTR%2Fcredential-management-1%2F%23dom-passwordcredential-additionaldata&data=02%7C01%7Cvijaybh%40microsoft.com%7C379d26bc14434305cae908d480f4c28f%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C636275236106499268&sdata=JwjDQ6UKA5yQX59Cyx1R7auQzHvepyidJhK%2FkBIP174%3D&reserved=0>
> ;
> };
>
> // similar for FederatedCredential
>
> --------------------------------------------
>
> interface PublicKeyCredential : Credential
> <https://na01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.w3.org%2FTR%2Fcredential-management-1%2F%23credential&data=02%7C01%7Cvijaybh%40microsoft.com%7C379d26bc14434305cae908d480f4c28f%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C636275236106499268&sdata=Sw%2FQdzPYLG46BCj8f4HkqhAEVMuv90Vb0ltONacaRUU%3D&reserved=0>
> {
> readonly attribute object publicKey;
> };
>
>
>
> interface AuthenticatorResponse {
> readonly attribute PublicKeyCredential credential;
> readonly attribute ArrayBuffer
> <https://na01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fheycam.github.io%2Fwebidl%2F%23idl-ArrayBuffer&data=02%7C01%7Cvijaybh%40microsoft.com%7C379d26bc14434305cae908d480f4c28f%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C636275236106499268&sdata=sh5iWlUoDPE%2FS7d3Zcdxz2vWGQasiZMyomvpnEv74uk%3D&reserved=0>
> clientDataJSON;
> };
>
>
>
> // note that this is just a renamed ScopedCredentialInfo,
> // with the addition of a public key, id, and type in it (as part of the
> // credential attribute)
> interface MakeCredentialResponse : AuthenticatorResponse {
> readonly attribute ArrayBuffer
> <https://na01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fheycam.github.io%2Fwebidl%2F%23idl-ArrayBuffer&data=02%7C01%7Cvijaybh%40microsoft.com%7C379d26bc14434305cae908d480f4c28f%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C636275236106499268&sdata=sh5iWlUoDPE%2FS7d3Zcdxz2vWGQasiZMyomvpnEv74uk%3D&reserved=0>
> attestationObject;
> };
>
> // note that this is just a renamed AuthenticationAssertion
> interface AssertionResponse : AuthenticatorResponse {
> readonly attribute ArrayBuffer
> <https://na01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fheycam.github.io%2Fwebidl%2F%23idl-ArrayBuffer&data=02%7C01%7Cvijaybh%40microsoft.com%7C379d26bc14434305cae908d480f4c28f%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C636275236106499268&sdata=sh5iWlUoDPE%2FS7d3Zcdxz2vWGQasiZMyomvpnEv74uk%3D&reserved=0>
> authenticatorData;
> readonly attribute ArrayBuffer
> <https://na01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fheycam.github.io%2Fwebidl%2F%23idl-ArrayBuffer&data=02%7C01%7Cvijaybh%40microsoft.com%7C379d26bc14434305cae908d480f4c28f%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C636275236106509268&sdata=FNomjlyPcp8%2F38jhF8Qh8wzTxoYobZau4NDXlKM9TXY%3D&reserved=0>
> signature;
> };
>
> -------------------------------------------
>
> partial interface Navigator
> <https://na01.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.w3.org%2FTR%2Fhtml5%2Fwebappapis.html%23navigator&data=02%7C01%7Cvijaybh%40microsoft.com%7C379d26bc14434305cae908d480f4c28f%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C636275236106509268&sdata=ENlfjl4YoMAqfW0VqnZwCxTixWN3ShkoFWUsmwc4GqI%3D&reserved=0>
> {
> readonly attribute CredentialsContainer
> <https://na01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.w3.org%2FTR%2Fcredential-management-1%2F%23credentialscontainer&data=02%7C01%7Cvijaybh%40microsoft.com%7C379d26bc14434305cae908d480f4c28f%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C636275236106509268&sdata=CGbZosQZZWJEXXZonFKMT%2F%2F00XIBd%2BbeAA6b8AEUz9E%3D&reserved=0>
> credentials;
> };
>
> interface
> <https://na01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fw3c.github.io%2Fhtml%2Fwebappapis.html%23navigator&data=02%7C01%7Cvijaybh%40microsoft.com%7C379d26bc14434305cae908d480f4c28f%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C636275236106509268&sdata=UAqx%2BrcyIJJI2eE5biqYJN9Q5Fxbm4Utb3ZIiQOFn%2BI%3D&reserved=0>CredentialsContainer
> {
> readonly attribute BearerCredentials bearer;
> readonly attribute
> <https://na01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fw3c.github.io%2Fwebauthn%2F%23webauthentication&data=02%7C01%7Cvijaybh%40microsoft.com%7C379d26bc14434305cae908d480f4c28f%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C636275236106509268&sdata=uWObRnwONsLacFQ97fL21Vx8wiYCs1ShNrEjbc1UW3o%3D&reserved=0>PublicKeyCredentials
> publicKey;
> };
>
> interface BearerCredentials {
> Promise<BearerCredential?> get
> <https://na01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.w3.org%2FTR%2Fcredential-management-1%2F%23dom-credentialscontainer-get&data=02%7C01%7Cvijaybh%40microsoft.com%7C379d26bc14434305cae908d480f4c28f%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C636275236106509268&sdata=Fzv1dQwmgDGB8gEJR6Lbqn0UL7EbLr54E4vfESp4ZLg%3D&reserved=0>
> (CredentialRequestOptions
> <https://na01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.w3.org%2FTR%2Fcredential-management-1%2F%23dictdef-credentialrequestoptions&data=02%7C01%7Cvijaybh%40microsoft.com%7C379d26bc14434305cae908d480f4c28f%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C636275236106509268&sdata=R8F%2F61Zw6ZpSvJt7l0sO%2FPAxQC1mx5FikpiABR14iV0%3D&reserved=0>
> options
> <https://na01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.w3.org%2FTR%2Fcredential-management-1%2F%23dom-credentialscontainer-get-options-options&data=02%7C01%7Cvijaybh%40microsoft.com%7C379d26bc14434305cae908d480f4c28f%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C636275236106509268&sdata=zZqV9ofVbqOOSGhMLZHzPLrlZQXgmEz3fugeZn2iLTQ%3D&reserved=0>
> );
> Promise<BearerCredential> store
> <https://na01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.w3.org%2FTR%2Fcredential-management-1%2F%23dom-credentialscontainer-store&data=02%7C01%7Cvijaybh%40microsoft.com%7C379d26bc14434305cae908d480f4c28f%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C636275236106509268&sdata=GCE7yI0I7uYhPiR0UAUVVrQ6w4bwhswzz%2BSYgx0QYls%3D&reserved=0>
> (BearerCredential credential
> <https://na01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.w3.org%2FTR%2Fcredential-management-1%2F%23dom-credentialscontainer-store-credential-credential&data=02%7C01%7Cvijaybh%40microsoft.com%7C379d26bc14434305cae908d480f4c28f%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C636275236106509268&sdata=Bg34bd%2BYAE%2FXLKCaxy8F4OMT%2Bwr0%2BEDlDGoLcfp3w80%3D&reserved=0>
> );
> Promise<void> requireUserMediation
> <https://na01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.w3.org%2FTR%2Fcredential-management-1%2F%23dom-credentialscontainer-requireusermediation&data=02%7C01%7Cvijaybh%40microsoft.com%7C379d26bc14434305cae908d480f4c28f%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C636275236106509268&sdata=PB0HsV4XJ83yUFt1ZMgc7xvx2UneGFUKgTwMKSeUtDI%3D&reserved=0>
> ();
> };
>
> // continue here as in existing CredMan API
>
> ------------------------------------------------------------
>
>
>
> interface
> <https://na01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fw3c.github.io%2Fwebauthn%2F%23webauthentication&data=02%7C01%7Cvijaybh%40microsoft.com%7C379d26bc14434305cae908d480f4c28f%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C636275236106509268&sdata=uWObRnwONsLacFQ97fL21Vx8wiYCs1ShNrEjbc1UW3o%3D&reserved=0>PublicKeyCredentials
> {
> Promise<MakeCredentialResponse> makeCredential(
> RelyingPartyUserInfo
> <https://na01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fw3c.github.io%2Fwebauthn%2F%23dictdef-relyingpartyuserinfo&data=02%7C01%7Cvijaybh%40microsoft.com%7C379d26bc14434305cae908d480f4c28f%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C636275236106509268&sdata=mYgXEjE0%2BXfbp3otFsLP0nfc55hr4wcbczrmB939J9U%3D&reserved=0>
> accountInformation
> <https://na01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fw3c.github.io%2Fwebauthn%2F%23dom-webauthentication-makecredential-accountinformation-cryptoparameters-attestationchallenge-options-accountinformation&data=02%7C01%7Cvijaybh%40microsoft.com%7C379d26bc14434305cae908d480f4c28f%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C636275236106509268&sdata=LeYUieK3GKuOl7u5RZ8YqMAJGwhlURhaM2fq5LKJ5mI%3D&reserved=0>
> ,
> sequence<ScopedCredentialParameters
> <https://na01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fw3c.github.io%2Fwebauthn%2F%23dictdef-scopedcredentialparameters&data=02%7C01%7Cvijaybh%40microsoft.com%7C379d26bc14434305cae908d480f4c28f%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C636275236106509268&sdata=dZyUkhCftziOlVGU2LMOtp0UgD2JbQd4I%2FJD6anyOBw%3D&reserved=0>
> > cryptoParameters
> <https://na01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fw3c.github.io%2Fwebauthn%2F%23dom-webauthentication-makecredential-accountinformation-cryptoparameters-attestationchallenge-options-cryptoparameters&data=02%7C01%7Cvijaybh%40microsoft.com%7C379d26bc14434305cae908d480f4c28f%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C636275236106509268&sdata=SUWNrlHm7tC24j1WhRpOrrYLGPwrSzW%2BIQeWFBBbx1A%3D&reserved=0>
> ,
> BufferSource
> <https://na01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fheycam.github.io%2Fwebidl%2F%23BufferSource&data=02%7C01%7Cvijaybh%40microsoft.com%7C379d26bc14434305cae908d480f4c28f%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C636275236106509268&sdata=ZlC7njihZydPudw90kJYH%2BYoVehAvZGvXJOFBZ4rBHo%3D&reserved=0>
> attestationChallenge
> <https://na01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fw3c.github.io%2Fwebauthn%2F%23dom-webauthentication-makecredential-accountinformation-cryptoparameters-attestationchallenge-options-attestationchallenge&data=02%7C01%7Cvijaybh%40microsoft.com%7C379d26bc14434305cae908d480f4c28f%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C636275236106519274&sdata=kNZLSo35jIZb%2F7j1kV9q%2F7HDiQZ9ex3%2BCPFxrZgXmos%3D&reserved=0>
> ,
> optional ScopedCredentialOptions
> <https://na01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fw3c.github.io%2Fwebauthn%2F%23dictdef-scopedcredentialoptions&data=02%7C01%7Cvijaybh%40microsoft.com%7C379d26bc14434305cae908d480f4c28f%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C636275236106519274&sdata=lAfe3BvYcexlo1EX%2BNf%2BB82esY7Zy%2BsG693CQ%2FelptA%3D&reserved=0>
> options
>
> <https://na01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fw3c.github.io%2Fwebauthn%2F%23dom-webauthentication-makecredential-accountinformation-cryptoparameters-attestationchallenge-options-options&data=02%7C01%7Cvijaybh%40microsoft.com%7C379d26bc14434305cae908d480f4c28f%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C636275236106519274&sdata=0TTwOGTdFFbVIf6TBTu93St%2B37%2Bgd2f5rIrnxxetXYA%3D&reserved=0>
> );
>
>
> Promise<AssertionResponse> getAssertion(
> BufferSource
> <https://na01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fheycam.github.io%2Fwebidl%2F%23BufferSource&data=02%7C01%7Cvijaybh%40microsoft.com%7C379d26bc14434305cae908d480f4c28f%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C636275236106519274&sdata=7f4EYW%2B9kmRp2lSKbtdW4kvBPzVVGtwUTCUkNQyNl9Y%3D&reserved=0>
> assertionChallenge
> <https://na01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fw3c.github.io%2Fwebauthn%2F%23dom-webauthentication-getassertion-assertionchallenge-options-assertionchallenge&data=02%7C01%7Cvijaybh%40microsoft.com%7C379d26bc14434305cae908d480f4c28f%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C636275236106519274&sdata=fZkCtSypsIDmiPWNYwYuEF5c%2BdNHox%2F7ET3itnmKW3I%3D&reserved=0>
> ,
> optional AssertionOptions
> <https://na01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fw3c.github.io%2Fwebauthn%2F%23dictdef-assertionoptions&data=02%7C01%7Cvijaybh%40microsoft.com%7C379d26bc14434305cae908d480f4c28f%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C636275236106519274&sdata=remf%2FtMOsy95mC9In0Ft8PULWRtug0e1rjY8XEGKn5Q%3D&reserved=0>
> options
>
> <https://na01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fw3c.github.io%2Fwebauthn%2F%23dom-webauthentication-getassertion-assertionchallenge-options-options&data=02%7C01%7Cvijaybh%40microsoft.com%7C379d26bc14434305cae908d480f4c28f%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C636275236106519274&sdata=DykRvxnfLzC1g%2F4dNKR1HM4NRVSYPDbi5ObONT%2FHsoA%3D&reserved=0>
> );
> };
>
>
>
> // continue here as in existing Webauthn API
> // (note that the naming here treats the key pair as *the credential*, and
> the thing
> // that is sent over the wire is something else - an authenticator
> response, etc.)
>
>
> --------------------------------------------------------
>
> // Example: generating and registering a new key follows
>
>
>
> var webauthnAPI = navigator.credentials.publicKey;
>
> if (!webauthnAPI) { /* Platform not capable. Handle error. */ }
>
> var userAccountInformation = {
> rpDisplayName: "Acme",
> displayName: "John P. Smith",
> name: "johnpsmith@example.com",
> id: "1098237235409872",
> imageURL: "https://pics.acme.com/00/p/aBjjjpqPb.png
> <https://na01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fpics.acme.com%2F00%2Fp%2FaBjjjpqPb.png&data=02%7C01%7Cvijaybh%40microsoft.com%7C379d26bc14434305cae908d480f4c28f%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C636275236106519274&sdata=g0WFfw7QgqaUfC0aNzVO1q2AKq8uUSMEkbtYA36akOc%3D&reserved=0>
> "
> };
>
> // This Relying Party will accept either an ES256 or RS256 credential, but
> // prefers an ES256 credential.
> var cryptoParams = [
> {
> type: "publicKey",
> algorithm: "ES256"
> },
> {
> type: "publicKey",
> algorithm: "RS256"
> }
> ];
>
> var challenge = new TextEncoder().encode("climb a mountain");
> var options = { timeout: 60000, // 1 minute
> excludeList: [], // No excludeList
> extensions: {"webauthn.location": true} // Include
> location
> // information
>
> // in attestation
> };
>
> // Note: The following call will cause the authenticator to display UI.
> webauthnAPI.makeCredential(userAccountInformation, cryptoParams,
> challenge, options)
> .then(function (makeCredentialResponse) {
> // Send make credential response to server for verification and
> registration.
> }).catch(function (err) {
> // No acceptable authenticator or user refused consent. Handle
> appropriately.
> });
>
>
>
>
> --------------------------------------------------------
>
>
>
> // Example: authentication without hints
>
>
>
> var webauthnAPI = navigator.credentials.publicKey;
>
> if (!webauthnAPI) { /* Platform not capable. Handle error. */ }
>
> challenge: new TextEncoder().encode("climb a mountain"),
> var options = {
> timeout: 60000, // 1 minute
> allowList: [{ type: "publicKey" }]
> };
>
> webauthnAPI.getAssertion(challenge, options).then(function (
> assertionResponse) {
> // Send assertion response to server for verification
> }).catch(function (err) {
> // No acceptable credential or user refused consent. Handle
> appropriately.
> });
>
>
>
> --------------------------------------------------------
>
>
>
> // Example: authentication with hints
>
>
>
> var webauthnAPI = navigator.credentials.publicKey;
>
> if (!webauthnAPI) { /* Platform not capable. Handle error. */ }
>
>
>
> var challenge = new TextEncoder().encode("climb a mountain");
> var acceptableCredential1 = {
> type: "publicKey",
> id: encoder.encode("!!!!!!!hi there!!!!!!!\n")
> };
> var acceptableCredential2 = {
> type: "publicKey",
> id: encoder.encode("roses are red, violets are blue\n")
> };
>
> var options = {
> timeout: 60000, // 1 minute
> allowList: [acceptableCredential1, acceptableCredential2];
> extensions: { 'webauthn.txauth.simple':
> "Wave your hands in the air like you just don’t care" };
> };
>
> webauthnAPI.getAssertion(challenge, options)
> .then(function (assertion) {
> // Send assertion response to server for verification
> }).catch(function (err) {
> // No acceptable credential or user refused consent. Handle
> appropriately.
> });
>
> --------------------------------------------------------
> Advantages of this Proposal
>
> - Fewer changes to CredMan & WebAuthn specs
> - No need to have a no-op store() operation for PublicKeyCredentials
> - No need to reconcile the two notions of user mediation.
> Credentials.bearer uses the requireUserMediation
> <https://na01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.w3.org%2FTR%2Fcredential-management-1%2F%23dom-credentialscontainer-requireusermediation&data=02%7C01%7Cvijaybh%40microsoft.com%7C379d26bc14434305cae908d480f4c28f%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C636275236106519274&sdata=Uab8N57ABA9MCcWsGs7onTInt7GZnepG40fimhR%2BSFU%3D&reserved=0>
> operation, whereas credentials.publicKey uses a parameter in the
> ScopedCredentialOptions
> - The only thing a reader of the webauthn spec has to understand about
> the CredMan spec is the (very simple) Credential interface.
> - New methods like cancel() and promoteAuthenticatorIfAvailable() can
> easily be added to credentials.publicKey without having to worry how they
> interact with other credential types.
>
>
>
>
>
>
> Thanks!
>
> -Alexei
>
>
>
> *____**____**____**____*
>
> . Alexei Czeskis .:. Securineer .:. 317.698.4740 <(317)%20698-4740> .
>
>
>
> On Mon, Apr 10, 2017 at 7:14 PM, Anthony Nadalin <tonynad@microsoft.com>
> wrote:
>
> Too nice need to raise a formal objection not whimpers as I can't read
> between the lines
>
> -----Original Message-----
> From: Hodges, Jeff [mailto:jeff.hodges@paypal.com]
> Sent: Monday, April 10, 2017 4:18 PM
> To: public-webauthn@w3.org
> Subject: Re: PR #384 CredMan Integration
>
> On 4/10/17, 2:29 PM, "Anthony Nadalin" <tonynad@microsoft.com> wrote:
>
> > So based upon the discussions that have been going on there seems to
> > be some issues raised on what happens when we merge. I have not heard
> > and real outright objections to the merge,
>
> Dirk made such an outright objection -- but perhaps he said it too nicely
> [0]:
>
> ..I'm arguing against accepting https://na01.safelinks.
> protection.outlook.com/?url=https%3A%2F%2Fgithub.com%
> 2Fw3c%2Fwebauthn%2Fpull%2F384&data=02%7C01%7Ctonynad%40microsoft.com%
> 7C8fa40e78c673482b7eed08d480681726%7C72f988bf86f141af91ab2d7cd011
> db47%7C1%7C0%7C636274633275960038&sdata=mV1%2FBr337%2B%
> 2BsXPfyFXpid3LgBi6VFtKiig1YUcJe2IQ%3D&reserved=0 as
>
> is, because I believe it will create a lot of future work for us that
> will
> slow us down.
>
> > so in favor of progress I suggest we accept #384 and deal with the
> > questions as they comes up with Mike West, as we see to be just going
> > around and around w/o making a decision.
>
> A more productive approach may be to consider our options in light of the
> desire to have an implementable and nominally usable draft webauthn level 1
> API in the near term.
>
> To me the decision context appears to be:
>
> What's more important,
>
> (1) near-term implementable & adoptable/deployable webauthn draft with
> or
> without credman incorporation, or,
>
> (2) adding credman dependency now (because it seems we will do it at
> some
> point regardless), i.e., merge PR#384 as-is, and hope the resultant
> fixing/polishing does not take "too long" ?
>
> Tony is suggesting (2).
>
> in [0] Dirk is arguing that (2) will result in taking "too long", and
> implies we should do option B plus some renaming.
>
> Though, an option (3) is that we could think things through more
> thoroughly, convince ourselves option C (below) is the correct thing to do
> in light of the other below options, and if it is, revise the PR#384
> appropriately, then merge. One could argue this will take less time that
> just merging #384 as-is.
>
> @mikewest replied to Dirk's points in detail in [3], so we've embarked on
> option (3) if we hold off on merging. This is what I'd vote for.
>
> HTH,
>
> =JeffH
>
>
> details:
>
> Again, the webauthn||credman options [1][2] are:
>
> A. Just Rename (slides 8, 9)
> (as noted in the F2F minutes, this is to just "'rename' scopedCredential"
> such that webauthn (WA) does not use the term 'cedential' in its API)
>
> B. Join credman class hierarchy, keep webauthn methods (slides 10..14)
>
> C. Join credman (CM) class hierarchy, use CM methods (slides 15..18)
>
> Plus, there is also the status-quo:
>
> D. Leave credman and webauthn entirely separate for their "level 1" (ie
> initial version) incarnations (leaves door open to address some sort of
> merger in level 2 incarnations).
>
> [0] https://na01.safelinks.protection.outlook.com/?url=
> https%3A%2F%2Flists.w3.org%2FArchives%2FPublic%2Fpublic-
> webauthn%2F2017Apr%2F0138.html&data=02%7C01%7Ctonynad%40microsoft.com%
> 7C8fa40e78c673482b7eed08d480681726%7C72f988bf86f141af91ab2d7cd011
> db47%7C1%7C0%7C636274633275970046&sdata=PjQcFrH6YKX2D4Uc0mYDJw8THRmIaQ
> %2FaCepnx1InDWo%3D&reserved=0
>
> [1] WebAuthn vs Credential Management (@balfanz) <https://na01.safelinks.
> protection.outlook.com/?url=https%3A%2F%2Fdocs.google.com%
> 2Fpresentation%2Fd%2F1RyfQS3f-Dk7xU8S6pCSBzWl3jGGGrkF1zWkUyp
> VUnik&data=02%7C01%7Ctonynad%40microsoft.com%
> 7C8fa40e78c673482b7eed08d480681726%7C72f988bf86f141af91ab2d7cd011
> db47%7C1%7C1%7C636274633275970046&sdata=NCCw7zgoj6p8R20qbFn%
> 2FP9I8uSwzr3zVSVBs1rFiqtI%3D&reserved=0>
>
> [2] https://na01.safelinks.protection.outlook.com/?url=
> https%3A%2F%2Fgithub.com%2Fw3c%2Fwebauthn%2Fpull%2F384%
> 23issuecomment-292734633&data=02%7C01%7Ctonynad%40microsoft.com%
> 7C8fa40e78c673482b7eed08d480681726%7C72f988bf86f141af91ab2d7cd011
> db47%7C1%7C0%7C636274633275970046&sdata=33LM5ULKf4s5%
> 2BTwRdf6Iq0DWENH5YU6cy%2F5oxiI4i7g%3D&reserved=0
>
> [3] https://na01.safelinks.protection.outlook.com/?url=
> https%3A%2F%2Flists.w3.org%2FArchives%2FPublic%2Fpublic-
> webauthn%2F2017Apr%2F0147.html&data=02%7C01%7Ctonynad%40microsoft.com%
> 7C8fa40e78c673482b7eed08d480681726%7C72f988bf86f141af91ab2d7cd011
> db47%7C1%7C0%7C636274633275970046&sdata=9Qi%2FOXTyPnDfj3wHbbvoO%
> 2BhGf1kgyFUFEIEyvvOlQJQ%3D&reserved=0
>
>
>
>
Received on Tuesday, 11 April 2017 19:30:18 UTC