Re: web-platform-tests results from Adam Langley on 2018-12-20 (public-webauthn@w3.org from December 2018)

From: Adam Langley <agl@google.com>
Date: Wed, 19 Dec 2018 16:17:13 -0800
To: Philippe Le Hégaret <plh@w3.org>
Cc: Anthony Nadalin <tonynad@microsoft.com>, W3C Web Authn WG <public-webauthn@w3.org>
Message-ID: <CAL9PXLyuOPn5FOn_FjfLN0DFjK=iSt7Z8c=fF7zY=K=v-2CmuA@mail.gmail.com>

On Wed, Dec 19, 2018 at 3:17 PM Adam Langley <agl@google.com> wrote:

> Bad pubKeyCredParams: pubKeyCredParams is empty Array
>
> Current Chrome fails this although it was marked as “passing”. It does
> appear that it's valid for this sequence to be empty. Thus I believe this
> is a Chrome bug.
>

WebAuthn and CTAP2 disagree on this point.

WebAuthn clearly thinks that an empty pubKeyCredParams is valid and
expresses no preference about the algorithm of any resulting credential
("The authenticator makes a best-effort to create the most preferred
credential that it can.")

CTAP2 says "If the pubKeyCredParams parameter does not contain a valid
COSEAlgorithmIdentifier value that is supported by the authenticator,
terminate this procedure and return error code
CTAP2_ERR_UNSUPPORTED_ALGORITHM."

So I can change Chromium to accept an empty list here and for non-CTAP2
device it'll do something. But CTAP2 devices fail immediately.


Cheers

AGL

Received on Thursday, 20 December 2018 00:17:46 UTC