W3C home > Mailing lists > Public > public-webauthn@w3.org > October 2017

[webauthn] technical & terminology issues with PR#558 Plumb User ID through

From: =JeffH via GitHub <sysbot+gh@w3.org>
Date: Wed, 04 Oct 2017 22:41:46 +0000
To: public-webauthn@w3.org
Message-ID: <issues.opened-262953278-1507156891-sysbot+gh@w3.org>
equalsJeffH has just created a new issue for https://github.com/w3c/webauthn:

== technical & terminology issues with PR#558 Plumb User ID through ==
seems to me that PR#558 Plumb User ID through could have been reviewed more thoroughly prior to merging. I see a technical issue we arguably need to fix, and also feel that it further clouds our already fragmented/hazy/undisciplined terminology ( see also #358 and #462 ).

1.  technical issue with PR #558

please note here..
```
dictionary MakePublicKeyCredentialOptions {
    ...
    required PublicKeyCredentialUserEntity       user;
    ...
};

[...]

dictionary PublicKeyCredentialUserEntity : PublicKeyCredentialEntity {
    BufferSource   id;
    DOMString      displayName;
};
```
..that `user.id` is a BufferSource, here on the "input" side of things ie to [#createCrendential](https://w3c.github.io/webauthn/#createCredential), [authnrMakeCred()](https://w3c.github.io/webauthn/#op-make-cred) et al. 


However, on the "output" side of things (ie [#op-get-assertion](https://w3c.github.io/webauthn/#op-get-assertion) and [#getAssertion](https://w3c.github.io/webauthn/#getAssertion)), in the [AuthenticatorAssertionResponse interface](https://w3c.github.io/webauthn/#iface-authenticatorassertionresponse), it is declared as a `DOMString` -- it really should be an `ArrayBuffer` like the other returned values, no?
```
interface AuthenticatorAssertionResponse : AuthenticatorResponse {
    [...]
    [SameObject] readonly attribute DOMString        userId;
};
```

2.  overall confusing terminology

this is the terminology on the "input" side ie [#createCrendential](https://w3c.github.io/webauthn/#createCredential)l, [authnrMakeCred()](https://w3c.github.io/webauthn/#op-make-cred) et al:
```
dictionary MakePublicKeyCredentialOptions {
    ...
    required PublicKeyCredentialUserEntity       user;>     ...
};

[...]
dictionary PublicKeyCredentialUserEntity : PublicKeyCredentialEntity {
    BufferSource   id;
    DOMString      displayName;
};

id, of type BufferSource
  A unique identifier for the user account entity. This is a reference
  to an opaque byte array value specified by the Relying Party. The
  maximum size of this array is 64 bytes.
```
..so we have a "user.id" notion/term here, along with "user account".


In guts of [authnrMakeCred()](https://w3c.github.io/webauthn/#op-make-cred) we have..
```
   * Associate the credential with the specified RP ID and the user’s
     account identifier user.id.

   * Delete any older credentials with the same RP ID and user.id 
     that ...
```

..note use of "user's account identifier" and "user.id" here. 

the new term "user handle" only appears twice in the entire spec, both times on the "output side" of things, as noted below. 



On the "output" side, in [#getAssertion](https://w3c.github.io/webauthn/#getAssertion), there is:
```
    If any authenticator indicates success,

        Remove authenticator from issuedRequests.

        Let value be a new PublicKeyCredential associated with 
        global whose fields are:

        [...]>
        response

            A new AuthenticatorAssertionResponse object associated 
            with global whose fields are:

            [...]>
            userId

                A new DOMString containing the user handle returned
                from the successful authenticatorGetAssertion 
                operation, as defined in §5.2.2 The 
                authenticatorGetAssertion operation.
```

note the `userId` item that is part of `response`.  IMHO that contradicts the conclusion of the discussion in PR #558 where Christiaan agreed "[TODO: Change names to not contain the word userid. It's confusing](https://github.com/w3c/webauthn/pull/558#issuecomment-332736943)"

I would tend to want to name this "userHandle". (tho, then we have an impedance mismatch with the input side...)

And then the "user handle" prose term is used once more at the end of "[The authenticatorGetAssertion operation](https://w3c.github.io/webauthn/#op-get-assertion)"















Please view or discuss this issue at https://github.com/w3c/webauthn/issues/609 using your GitHub account
Received on Wednesday, 4 October 2017 22:41:36 UTC

This archive was generated by hypermail 2.4.0 : Tuesday, 5 July 2022 07:26:28 UTC