- From: =JeffH via GitHub <sysbot+gh@w3.org>
- Date: Wed, 04 Oct 2017 22:41:46 +0000
- To: public-webauthn@w3.org
equalsJeffH has just created a new issue for https://github.com/w3c/webauthn:
== technical & terminology issues with PR#558 Plumb User ID through ==
seems to me that PR#558 Plumb User ID through could have been reviewed more thoroughly prior to merging. I see a technical issue we arguably need to fix, and also feel that it further clouds our already fragmented/hazy/undisciplined terminology ( see also #358 and #462 ).
1. technical issue with PR #558
please note here..
```
dictionary MakePublicKeyCredentialOptions {
...
required PublicKeyCredentialUserEntity user;
...
};
[...]
dictionary PublicKeyCredentialUserEntity : PublicKeyCredentialEntity {
BufferSource id;
DOMString displayName;
};
```
..that `user.id` is a BufferSource, here on the "input" side of things ie to [#createCrendential](https://w3c.github.io/webauthn/#createCredential), [authnrMakeCred()](https://w3c.github.io/webauthn/#op-make-cred) et al.
However, on the "output" side of things (ie [#op-get-assertion](https://w3c.github.io/webauthn/#op-get-assertion) and [#getAssertion](https://w3c.github.io/webauthn/#getAssertion)), in the [AuthenticatorAssertionResponse interface](https://w3c.github.io/webauthn/#iface-authenticatorassertionresponse), it is declared as a `DOMString` -- it really should be an `ArrayBuffer` like the other returned values, no?
```
interface AuthenticatorAssertionResponse : AuthenticatorResponse {
[...]
[SameObject] readonly attribute DOMString userId;
};
```
2. overall confusing terminology
this is the terminology on the "input" side ie [#createCrendential](https://w3c.github.io/webauthn/#createCredential)l, [authnrMakeCred()](https://w3c.github.io/webauthn/#op-make-cred) et al:
```
dictionary MakePublicKeyCredentialOptions {
...
required PublicKeyCredentialUserEntity user;> ...
};
[...]
dictionary PublicKeyCredentialUserEntity : PublicKeyCredentialEntity {
BufferSource id;
DOMString displayName;
};
id, of type BufferSource
A unique identifier for the user account entity. This is a reference
to an opaque byte array value specified by the Relying Party. The
maximum size of this array is 64 bytes.
```
..so we have a "user.id" notion/term here, along with "user account".
In guts of [authnrMakeCred()](https://w3c.github.io/webauthn/#op-make-cred) we have..
```
* Associate the credential with the specified RP ID and the user’s
account identifier user.id.
* Delete any older credentials with the same RP ID and user.id
that ...
```
..note use of "user's account identifier" and "user.id" here.
the new term "user handle" only appears twice in the entire spec, both times on the "output side" of things, as noted below.
On the "output" side, in [#getAssertion](https://w3c.github.io/webauthn/#getAssertion), there is:
```
If any authenticator indicates success,
Remove authenticator from issuedRequests.
Let value be a new PublicKeyCredential associated with
global whose fields are:
[...]>
response
A new AuthenticatorAssertionResponse object associated
with global whose fields are:
[...]>
userId
A new DOMString containing the user handle returned
from the successful authenticatorGetAssertion
operation, as defined in §5.2.2 The
authenticatorGetAssertion operation.
```
note the `userId` item that is part of `response`. IMHO that contradicts the conclusion of the discussion in PR #558 where Christiaan agreed "[TODO: Change names to not contain the word userid. It's confusing](https://github.com/w3c/webauthn/pull/558#issuecomment-332736943)"
I would tend to want to name this "userHandle". (tho, then we have an impedance mismatch with the input side...)
And then the "user handle" prose term is used once more at the end of "[The authenticatorGetAssertion operation](https://w3c.github.io/webauthn/#op-get-assertion)"
Please view or discuss this issue at https://github.com/w3c/webauthn/issues/609 using your GitHub account
Received on Wednesday, 4 October 2017 22:41:36 UTC