[webauthn] new commits pushed by emlun from Emil Lundberg via GitHub on 2018-02-06 (public-webauthn@w3.org from February 2018)

From: Emil Lundberg via GitHub <sysbot+gh@w3.org>
Date: Tue, 06 Feb 2018 10:06:59 +0000
To: public-webauthn@w3.org
Message-ID: <push-2026fdc3cf8ede55b3eaac11f37b18c994ce3520-1517911617-sysbot+gh@w3.org>
The following commits were just pushed by emlun to https://github.com/w3c/webauthn:

* Update index.bs

Biometric Selection Criteria extension
  by gmandyam
https://github.com/w3c/webauthn/commit/d77acb349d8d216c44333c227bd9eddbe32f9ea4

* Update index.bs
  by gmandyam
https://github.com/w3c/webauthn/commit/adf287058fa34827e0668d127e995ee96a23eddb

* Update index.bs
  by gmandyam
https://github.com/w3c/webauthn/commit/834062e5dc9046b08ceb6587758763f3475d6abc

* Update index.bs
  by gmandyam
https://github.com/w3c/webauthn/commit/82e0e41cc3f88efce5e33dbdc66858fc9eba7e9c

* Clarify PublicKeyCredentialEntity name descriptions

This resolves #622. This also changes some display name examples to
include non-ASCII characters.
  by Emil Lundberg
https://github.com/w3c/webauthn/commit/8cdeac8e52a0b21688fdd429fafb43a8dc2b445d

* Drop user.name uniqueness recommendation
  by Emil Lundberg
https://github.com/w3c/webauthn/commit/be5143fb9d5f50c056a95f1ab358307c5a9df4d4

* Merge branch 'master' into issue-622
  by Emil Lundberg
https://github.com/w3c/webauthn/commit/343b89d8a64e81920133c1df25515d769528a959

* Wait for lifetimeTimer to expire instead of issuedRequests to be empty

The previous language would have the procedure terminate as soon as
there are no pending authenticator requests - including immediately at
the beginning unless at least one authenticator is available at that
time.
  by Emil Lundberg
https://github.com/w3c/webauthn/commit/18847d55a42c92eec4ed13530edee49f0d28a3a8

* Add privacy consideration about terminating getAssertion early
  by Emil Lundberg
https://github.com/w3c/webauthn/commit/3a8f961db57f935d7f07312ac3aa1f1e69d26b98

* Clarify that the privacy consideration is a timing issue
  by Emil Lundberg
https://github.com/w3c/webauthn/commit/df7dc0f28242bf3819fffcfa6162ae3ef22a6ce3

* Address review comment by @kpaulh
  by Emil Lundberg
https://github.com/w3c/webauthn/commit/96655eb220880c1f34d4579501cba5ce6f11effb

* Update index.bs
  by gmandyam
https://github.com/w3c/webauthn/commit/8d0c61f05a4ebc8c4aa4f211ec5485db58ab37f6

* Update index.bs
  by gmandyam
https://github.com/w3c/webauthn/commit/14672723a1577508c0a5ef42c0aabedc40789e80

* Update index.bs
  by gmandyam
https://github.com/w3c/webauthn/commit/90f0476b0a8da42324b50cafcb159588fecac3ef

* Partially address review comments
  by Emil Lundberg
https://github.com/w3c/webauthn/commit/819b77a0be534ff0dc4e6754893dcbd0bd9c05de

* Resolve #698 - Rename requireUserVerification (#699)

* Resolve #698 - Rename requireUserVerification

* Rename userVerification to userVerificationRequirement

* Add missing |options|.{{authenticatorSelection}} prefix

* Add missing <code/> wrapper

* Remove extraneous </code> end tag

* Revert "Rename userVerification to userVerificationRequirement"

This reverts commit 4d774ddd542abac5d30682e4380b2d93cbe663a7.
  by J.C. Jones
https://github.com/w3c/webauthn/commit/416732ec746d3d2efde237dbc3a072e02d1b3857

* fix #700 & #701: add same origin with ancestors param (#702)

* fix #700 add sameOriginWithAncestors parameter to internal methods, improve #701

* fix #701 [[Create]] and [[DiscoverFromExternalSource]] references have inconsistent parameter lists

* address jcjones' comments, thx!

* fix missing '(' problem

* make xrefs to credman Origin Confusion nicer

* fix 'var used only once' warning

* fix cut'n'paste error, thx emlun!

* editorial: normalize argument exposition across internal methods

* fix another sloppiness instance

* add ref to Note wrt leveraging Feature Policy spec in future

* minor edit

* further wordsmithing
  by =JeffH
https://github.com/w3c/webauthn/commit/2f0b13e0afa13081e2cf62f09267e119196b8952

* Resolve linking errors for WD-07 publication (#703)

* fix proper subset tweak

* resolve linking error for AttestationNotPrivateError

* resolve linking error: idl ref not found for [[DiscoverFromExternalSource]](origin, options, sameOriginWithAncestors)

* remove unnecessary commits

* accept jeff suggestion
  by Angelo Liao
https://github.com/w3c/webauthn/commit/5e63e5780a531a1cf8cf0e9f9e9b55507982bc9f

* revert master branch to editors' draft status
  by JeffH
https://github.com/w3c/webauthn/commit/12f2d09a437489e69b0c482e664642bae32586bd

* Merge branch 'master' into master4
  by J.C. Jones
https://github.com/w3c/webauthn/commit/8ea9c78342438e3cc02ed2f5aabe65a821139c8e

* Merge branch 'master' into master4
  by J.C. Jones
https://github.com/w3c/webauthn/commit/a4fe0faf249c37d2fb39eb05bb805c45fe420d9e

* Merge pull request #695 from gmandyam/master4

CDDL description of location extension
  by gmandyam
https://github.com/w3c/webauthn/commit/33ac796035b250d29ddf056ac044319825128104

* Change link target for [=username=]
  by Emil Lundberg
https://github.com/w3c/webauthn/commit/1f8e10ce3d47aabf9df84007f6b6d04766008c41

* Address review comments
  by Emil Lundberg
https://github.com/w3c/webauthn/commit/7508d60780468ae570d93e4a95bb350f13fd686b

* Extract formal definition of Human Palatability
  by Emil Lundberg
https://github.com/w3c/webauthn/commit/64b728e13e4ea65e1b13045baf52b677cf8ed345

* Rework the FIDO AppID extension.

This change clarifies the the behaviour of the `appid` client extension
and removes the client extension output.

Fixes #491.
  by Adam Langley
https://github.com/w3c/webauthn/commit/b631dc5613ca267066f6cf6ab83f66f1a19b349f

* Don't say user handle is optional in Public Key Credential Source definition

This resolves #720.
  by Emil Lundberg
https://github.com/w3c/webauthn/commit/d448eb3a2da0b5682cdf98c10c6a3ee5d399d667

* Add formal links to PublicKeyCredentialDescriptor description (#719)

This resolves #716.
  by Emil Lundberg
https://github.com/w3c/webauthn/commit/8ea5208a01c5993149077e86ef697d20f43e058f

* Change id -> ID (#722)
  by Emil Lundberg
https://github.com/w3c/webauthn/commit/0d52835299a025a114007dcb22bf5cf15b504c32

* Fix issue #685 (#686)

See https://github.com/w3c/webauthn/issues/685
  by Emil Lundberg
https://github.com/w3c/webauthn/commit/269144c764db7818c9d149bd08e82c83c2906d74

* Specify that SHA-256 is used for hashing the client data. (#710)

Approved on today's WG call
  by Adam Langley
https://github.com/w3c/webauthn/commit/6734b92a8831b37c423e973d81624e89b6e20179

* Don't say user handle is optional in Public Key Credential Source definition (#721)

This resolves #720.
  by Emil Lundberg
https://github.com/w3c/webauthn/commit/986d6275555e1b9cdd58dc1fcb6df306979e3e9c

* Reference EduPerson for definition of Human Palatability
  by Emil Lundberg
https://github.com/w3c/webauthn/commit/1904e734025fd9262669e69b42b6745f7da63d2b

* Don't return user handle in getAssertion in 2nd factor mode

As stated in
https://github.com/w3c/webauthn/pull/558#issuecomment-331537953 and
https://github.com/w3c/webauthn/pull/558#issuecomment-330592503 the user
handle should not be returned when operating in 2nd factor mode (i.e.,
when given a non-empty `allowCredentials` list).
  by Emil Lundberg
https://github.com/w3c/webauthn/commit/3b2a1d141cbd8f2954f073a6b6598d954398a986

* Respond to PR comments.
  by Adam Langley
https://github.com/w3c/webauthn/commit/ba0f730e3ef2fdbad0d242bddec5e08f3ad45b47

* Add note on why authenticator attachment ise used only in create() (#708)
  by Emil Lundberg
https://github.com/w3c/webauthn/commit/f780ca85a74f664bea4890bd1111a6e97b1099f0

* Correct Android Key attestation verification procedure. Fixes #599. (#717)
  by Arnar Birgisson
https://github.com/w3c/webauthn/commit/8f349fefbba8326f493e7bfeb4150c961daaba53

* Updated editors and acknowledgements (#726)

Updated editors and acknowledgements and added contributors section
  by Mike Jones
https://github.com/w3c/webauthn/commit/758115fa641e92234485369b1129741b6fde533d

* fix broken {{PublicKeyCredentialEntity/id}} links to be {{PublicKeyCredentialRpEntity/id}} (#728)
  by =JeffH
https://github.com/w3c/webauthn/commit/9a7eba85fb463531382e36605119475182f6d4f6

* fix 711 identifier internal slot contains credID (#729)
  by =JeffH
https://github.com/w3c/webauthn/commit/06af8bc949948fe4d7554f0bd59d942dc1430593

* Added John Bradley to Acknowledgements
  by Mike Jones
https://github.com/w3c/webauthn/commit/99baccf8be8abf78607e4a86bad809189ec71863

* move the credentialId uniqueness handling to the formal alg steps.  (#709)

* move the credentialId uniqueness handling to the formal alg steps. Close #579

* be more precise about what ceremony we mean
  by Rolf Lindemann
https://github.com/w3c/webauthn/commit/a6c0da2f14924a52cd20d94f38012848b15db1b6

* Address review comments by @akshayku
  by Emil Lundberg
https://github.com/w3c/webauthn/commit/3938fc136da36ba518809b7ba9df476360173cf0

* CTAP alignment: Make storing user handle optional for non-resident keys

CTAP's [authenticatorMakeCredential][1] method stores the `user`
parameter only for resident credentials.

[1]: https://fidoalliance.org/specs/fido-v2.0-rd-20170927/fido-client-to-authenticator-protocol-v2.0-rd-20170927.html#h3_authenticatorMakeCredential
  by Emil Lundberg
https://github.com/w3c/webauthn/commit/609d28a34bc5ff9b96c10f17db308268f9aa4ec5

* Revert "Don't say user handle is optional in Public Key Credential Source definition"

This reverts commit d448eb3a2da0b5682cdf98c10c6a3ee5d399d667.
  by Emil Lundberg
https://github.com/w3c/webauthn/commit/684581f714e3a4c10f07f63db5233751e9bbf3a2

* Merge branch 'master' into issue-184
  by Emil Lundberg
https://github.com/w3c/webauthn/commit/73b9e4fb9e6a1cd4cce6448c34cfa1e54d0d6179

* Move getAssertion privacy considerations to Security Considerations
  by Emil Lundberg
https://github.com/w3c/webauthn/commit/1214398f9724889be48f011176db26325c2259b8

* Move normative language from priv-cons into algorithms
  by Emil Lundberg
https://github.com/w3c/webauthn/commit/38e2c4fc25f5622d3a28152951471b15cc81e875

* Address review comments by @equalsJeffH
  by Emil Lundberg
https://github.com/w3c/webauthn/commit/2752db2ceb5bb928ffc7d75a7877c330689833fe

* Fix two more "denies consent" => "does not consent"
  by Emil Lundberg
https://github.com/w3c/webauthn/commit/0c6641025774dd41dc84acc91764b9d852322afd

* add 'Dictionary' to Credential{Creation,Request}Options section titles
  by JeffH
https://github.com/w3c/webauthn/commit/8b1b3da69e1e0ce4adda44b7fa21e3a1e47966a3

* Address one of @equalsJeffH's review comments
  by Emil Lundberg
https://github.com/w3c/webauthn/commit/f3e8afbad0d20ede932bb483be9e91ed01df1b6f

* Merge pull request #734 from w3c/jeffh-fix-497-dict-extension-titles

fix #497: add 'Dictionary' to Credential{Creation,Request}Options section titles
  by Emil Lundberg
https://github.com/w3c/webauthn/commit/950f574888860152a8ae5b4921d4675a269363d3

* fix #455: we are using CTAP canonical CBOR encoding form everywhere (#731)

* fix #455: we are using CTAP canonical CBOR encoding form everywhere

* incorp akshayku's comment, thx!
  by =JeffH
https://github.com/w3c/webauthn/commit/7be2d3df6c938a85cdd2c01b40dfdaf3e58c3d63

* Merge pull request #730 from w3c/issue-720-user-handle-optional

Fix #720: Align user handle management with CTAP
  by Emil Lundberg
https://github.com/w3c/webauthn/commit/5948f3bea8d5ae5fd7137dadce20b1c3e267d6e5

* Merge branch 'master' into issue-622
  by Emil Lundberg
https://github.com/w3c/webauthn/commit/432e531a7aa50013725964d6a0464113c7f8ba9e

* Merge pull request #666 from emlun/issue-622

Merging as decided on 2018-01-03 WG call.
  by Emil Lundberg
https://github.com/w3c/webauthn/commit/35b730be6d0e3db254db61f73c3a9dc2e602ddb4

* Merge branch 'master' into issue491
  by Adam Langley
https://github.com/w3c/webauthn/commit/9c6ad1e18bb8aa1dc8b28fb417bcab5f11358f08

* Link “assertion”, as requested by Jeff.
  by Adam Langley
https://github.com/w3c/webauthn/commit/6c9d5295ffee0a3820b8d387de3312521ffc8041

* Merge pull request #723 from agl/issue491

Rework the FIDO AppID extension.
  by Adam Langley
https://github.com/w3c/webauthn/commit/0ed625785d7d8c01cc43a1d3910034a0ff49141a

* Normalize RFC2119 langugage (#470)

* Normalize RFC langugages

* Minor tweak to not accidentally change things

* update based on review

* fixed travis build issue
  by Angelo Liao
https://github.com/w3c/webauthn/commit/3cfaeba5be63850c23231fa220e8b5592bfd62ed

* fix #322: flesh out Security Considerations (for now) (#705)

merging this per discussion on today's webauthn call.  @agl & @leshi: please submit discrete issues for the items you identified above. thx. 

commits:
* consolidate sec cons sections, create priv cons

* update FIDOSecRef URL to point to latest rev

* add FIDOAuthnrSecReqs ref, minor editorials

* expand WebAuthn client dfn, compose sec cons intro ref'g FIDOSecRef and FIDOAuthnrSecReqs

* fix AttestationNotPrivateError linking error, thx angelokai!

* fix [[DiscoverFromExternalSource]] link error, thx AngeloKai!

* address emlun's feedback, thx!

* merge from master and fix conflicts
  by =JeffH
https://github.com/w3c/webauthn/commit/c64bdaf2f6b026369729e553b6008d4830e61993

* Changed uses of JSON string to USVString (#739)
  by Mike Jones
https://github.com/w3c/webauthn/commit/ade832157979451f8e69367f0d5749a939ec2aef

* Merge branch 'master' into issue-184
  by Emil Lundberg
https://github.com/w3c/webauthn/commit/f7bc2f865e7b8c7689084a00c4cb501e7ad20b4c

* Fix typo
  by Emil Lundberg
https://github.com/w3c/webauthn/commit/8ee452ce488fd54bbd2ea1018422ef31d321307b

* fix 543: improve COSE_Key spec language and add COSE_Key examples (#732)

* update COSE_Key format description parag

* create example public keys section

* alg -37 is actually PS256; align PS256 & RS256 text with ES256 text

* fix modulus length, as encoded in COSE_Key, to be 256 bytes rather than 257

* incorp agl's comments, thx!

* adj example whitespace, thx agl!

* further whitespace twiddling...
  by =JeffH
https://github.com/w3c/webauthn/commit/58e824a5c1b0d12cee42aa4fc25df47d8dcdb39e

* Fix #715 - add a conformance class note for FIDO U2F Attesation Types (#740)

Editorial fix: Note that U2F authenticators can't store-and-return a user
handle.
  by J.C. Jones
https://github.com/w3c/webauthn/commit/958a9d1c1cb2c8a9b29c9fab6aa87db3f4ae18f8

* Revert one "denies consent" => "does not consent" change

See https://github.com/w3c/webauthn/pull/687#issuecomment-357038495
  by Emil Lundberg
https://github.com/w3c/webauthn/commit/fb749d896665c3ffa708a508edc321c3cc5e3846

* Copy changes from #736

As requested by @equalsJeffH at
https://github.com/w3c/webauthn/pull/736#issuecomment-357309766
  by Emil Lundberg
https://github.com/w3c/webauthn/commit/f716b7fcfa4be4566a88a6f7b18b51804e66c721

* Merge pull request #735 from emlun/master

Change "denies consent" to "does not consent"
  by Emil Lundberg
https://github.com/w3c/webauthn/commit/ab361bd7994ddce7ac53763c2a8089f737a5c1a8

* Merge pull request #687 from w3c/issue-184

Add privacy consideration about terminating getAssertion early
  by Emil Lundberg
https://github.com/w3c/webauthn/commit/51ec228afc78b51abe1ee1fc6caa9f957a34d4f7

* Update CDDL to reflect packed, self-attestation.

The verification process for the packed attestation format deals with a
case where both `x5c` and `ecdaaKeyId` elements are absent, but the CDDL
doesn't reflect that possibility.
  by Adam Langley
https://github.com/w3c/webauthn/commit/f0224aa2bb69478aa9d42894d5f036ad0c1d9936

* Corrected txAuthGeneric client extension input type (#737)

* Corrected txAuthGeneric client extension input type

* Changed JSON object to JavaScript object

* Indent to make the input valid Markdown
  by Mike Jones
https://github.com/w3c/webauthn/commit/696cc5f0d923bf770b514468ccb074b9db272dbc

* Un-hardcode list item numbers

Except for two cases where the preceding text explicitly states that the
list has two elements.
  by Emil Lundberg
https://github.com/w3c/webauthn/commit/427c7eb63f8b125c875aa7e080b05a997dd3c02e

* Merge pull request #754 from w3c/unhardcode-list-numbers

Un-hardcode list item numbers
  by Emil Lundberg
https://github.com/w3c/webauthn/commit/1e77b424cc8b61c11403ca3152d70bd3541fb440

* fix |allowCredentialDescriptorList| warning from L3605 (#761)

it's good enuff for now :)
  by =JeffH
https://github.com/w3c/webauthn/commit/528916914afa9c17dd7a9a4a8b0b8fcc019d9034

* Bikeshed spec data update
  by J.C. Jones
https://github.com/w3c/webauthn/commit/b0cae5e2fb2b6e0d7f25a2153768e137a01423f1

* Define preventSilentAccess() behavior (#758)

Merged per the decision at the Monterey plenary meeting
  by Mike Jones
https://github.com/w3c/webauthn/commit/62095dac95b2a15b389352b0a23f31d380ca3831

* Define credentialIdLength representation (#756)

Merged
  by Mike Jones
https://github.com/w3c/webauthn/commit/10c150517f1b05b796aee64953628fe948dfeae6

* Fix issue #753: Verify user identity in RP authentication operation (#755)

Merged
  by Emil Lundberg
https://github.com/w3c/webauthn/commit/45b306297824475941d009b0d69f1eb3af43341e

* Reference FIDO Privacy Principles (#759)

Merged
  by Mike Jones
https://github.com/w3c/webauthn/commit/9b8da80d6cd863ece10fc860a4f01083a7392c6b

* Security Considerations for Unsigned Credential ID (#766)

Thanks Emil!
  by Mike Jones
https://github.com/w3c/webauthn/commit/e5c8c4fbf574a1a50192052c569d0e2dcdd57a29

* Define actions for “none” attestation.

This change defines a minimal set of actions for browsers to take when
“none” attestation is requested. It also defines a new, empty
attestation format for this case.

Fixes #694
  by Adam Langley
https://github.com/w3c/webauthn/commit/35032b8da50d1f6b348470e484321dc357079812

* Update in light of Jeff's comments.
  by Adam Langley
https://github.com/w3c/webauthn/commit/1d7e2ef08cb4ba72517733728cd8104fb604ccb1

* Address emlun's comments.
  by Adam Langley
https://github.com/w3c/webauthn/commit/2c2e46f6a3efe0aebfd741546a88fcdc93281bb1

* Reference the FIDO 100k batch sizes.

PING suggested referencing the FIDO 100k requirement as guideance on
suitable batch sizing for attestation certificates.

Fixes #749
  by Adam Langley
https://github.com/w3c/webauthn/commit/719f33bece65b433d377c30f80d1e7ccfdc2b0af

* Tighten up the specification of packed X.509 certificates.

Fixes #768.
  by Adam Langley
https://github.com/w3c/webauthn/commit/d51fbe91bb64e3dc51f814e3b8470be38cfe4fe6

* Merge pull request #767 from agl/issue749

Reference the FIDO 100k batch sizes.
  by Adam Langley
https://github.com/w3c/webauthn/commit/dc3958c9c439a0875db4c37a7e434e5c3f9464d9

* Merge pull request #769 from agl/issue768

Tighten up the specification of packed X.509 certificates.
  by Adam Langley
https://github.com/w3c/webauthn/commit/9d5609d243966c9c99640ea97ed34b89e6df30b3

* fix #610 privacy CA now known as attestation CA (#762)

* fix #610 priv CA now attstn CA

* fix incorrect US English article, thx selfissued :)

* use AIK certificate term
  by =JeffH
https://github.com/w3c/webauthn/commit/0f4cfe4807a09dffe565f69cdcc8dcc506706f96

* Strongly type client extension inputs and outputs (#765)

* Strongly type client extension inputs and outputs

* Remove the unused AuthenticationExtensionsAuthenticatorOutputs typedef

* Capitalize typedef names UvmEntry and UvmEntries
  by Mike Jones
https://github.com/w3c/webauthn/commit/1fc8906a20bb0698d68de3fbe55ebd109617b3bd

* Describe how authenticators unique and find credential sources. (#623)

* Define Public Key Credential Source and Credential ID.

This also redefines "Public Key Credential" to be the thing presented to the RP,
as a willful violation of RFC4949.

Credential ID is defined to explicitly include the possibility that it's the
encrypted Credential Source.

* Link "credential ID".

* Allow hashes as credential IDs.

* Describe how authenticators unique and find credential sources.

This happens to fix a maybe-bug where the authenticator didn't check that a
decrypted credential ID came from the right RP.

It's also much more precise about the distinction between a credential
descriptor and a credential or credential source.

* finish merge-from-master and fixup dangling internal crossrefs

* restore masthead

* restore clientDataHash rather than tbsHash in U2F attstn format

* fixing rendering issue

* fixup merge-from-master loose ends by hand

* fix var ignore issue

* address emlun's comments, thx!

* catch straggler from emlun's comments, mea culpa

* ignore a var make bikeshed happier

* move op-lookup-credsource-by-credid alg to new subsection

* dont need ignore no more
  by Jeffrey Yasskin
https://github.com/w3c/webauthn/commit/4f1a3ba8339824dc0491274393bebe3c142676f6

* Merge pull request #751 from agl/selfattestation

Update CDDL to reflect packed, self-attestation.
  by Adam Langley
https://github.com/w3c/webauthn/commit/72958fef808d45e04bbaaf6f17c494104162f0e5

* Merge branch 'master' into issue694
  by Adam Langley
https://github.com/w3c/webauthn/commit/0c9591ec1fef2745a0a3fc9f74fbd66ad7612168

* Merge pull request #741 from agl/issue694

Define actions for “none” attestation.
  by Adam Langley
https://github.com/w3c/webauthn/commit/4115aefd4617f4483317b0022e7dd0061ade91a7

* PR #763 untangled:  Add consideration of browser permissions framework for extension processing (#771)

PR #763 untangled: Add consideration of browser permissions framework for extension processing
  by Emil Lundberg
https://github.com/w3c/webauthn/commit/99766e01bae6955f895912e03a4448369a104a98

* Merge branch 'master' into issue-668
  by Emil Lundberg
https://github.com/w3c/webauthn/commit/b49703b7ff62b2d51b82110cb7ef7ba6f074534c

* Fix outdated step references in RP algorithms
  by Emil Lundberg
https://github.com/w3c/webauthn/commit/2026fdc3cf8ede55b3eaac11f37b18c994ce3520
Received on Tuesday, 6 February 2018 10:07:05 UTC