W3C home > Mailing lists > Public > public-webauthn@w3.org > May 2017

Re: [webauthn] Replace Authenticator Model with CTAP

From: Jeffrey Yasskin via GitHub <sysbot+gh@w3.org>
Date: Fri, 26 May 2017 19:34:32 +0000
To: public-webauthn@w3.org
Message-ID: <issue_comment.created-304370423-1495827270-sysbot+gh@w3.org>
1. If the authenticator model's interface is in terms of WebIDL types, then CTAP would define how to convert the WebIDL values into CBOR and back, in order to transmit them over BT, USB, or NFC. If the authenticator model's interface is in terms of CDDL/CBOR types, then WebAuthn's algorithms need to produce the appropriate CBOR data before calling them. A generic WebIDL<->CBOR mapping might be the most concise way to specify some of that, but it's probably not essential.

2. Yeah, it might be that certain steps need to allow multiple options. I did something like that with https://webbluetoothcg.github.io/web-bluetooth/#same-attribute. I think we should still be explicit about where we're allowing implementation variation, and we should put constraints on the allowable behavior. For example, using DES to encrypt the private key into the credential ID should probably not be allowed.

3. For example, https://fidoalliance.org/specs/fido-v2.0-rd-20161004/fido-client-to-authenticator-protocol-v2.0-rd-20161004.html#message-and-packet-structure specifies how the Client should take a command, which has a numeric identifier and a CBOR payload, and encode it into the USB HID protocol, and it also somewhat implicitly specifies how to identify the command and reconstruct the CBOR payload on the USB device side.

-- 
GitHub Notification of comment by jyasskin
Please view or discuss this issue at https://github.com/w3c/webauthn/issues/410#issuecomment-304370423 using your GitHub account
Received on Friday, 26 May 2017 19:34:38 UTC

This archive was generated by hypermail 2.4.0 : Tuesday, 5 July 2022 07:26:26 UTC