[webauthn] Pull Request: Plumb CTAP's authorized "already registered" error through to RP from Emil Lundberg via GitHub on 2018-02-19 (public-webauthn@w3.org from February 2018)

From: Emil Lundberg via GitHub <sysbot+gh@w3.org>
Date: Mon, 19 Feb 2018 17:23:45 +0000
To: public-webauthn@w3.org
Message-ID: <pull_request.opened-170016893-1519061024-sysbot+gh@w3.org>

emlun has just submitted a new pull request for https://github.com/w3c/webauthn:

== Plumb CTAP's authorized "already registered" error through to RP ==
This fixes #806, and relates to #184, #204 and #777.

To do before merging
---

- [ ] Review choice of `DOMException` error name

  I'm not sure [`InvalidStateError`][invalidstateerror] is the most suitable error name for this. Suggestions for other error names are very welcome.


Background
---

The [latest publicly published draft of CTAP2][ctap2-public] lists the first step of the `authenticatorMakeCredential` command as

>1. If the excludeList parameter is present and contains a credential ID that is present on this authenticator, terminate this procedure and return error code CTAP2_ERR_CREDENTIAL_EXCLUDED.

In WebAuthn this error condition is currently hidden from the RP, by making it indistinguishable from the operation timing out, in order to not leak potentially identifying information without the user's consent.

However as @leshi points out in #806, the current internal draft of CTAP2 instead lists this first step as

>1. If the excludeList parameter is present and contains a credential ID that is present on this authenticator and bound to the specified rpId, wait for user presence, then terminate this procedure and return error code CTAP2_ERR_CREDENTIAL_EXCLUDED. User presence check is required for CTAP2 authenticators before the RP gets told that the token is already registered to behave similarly to CTAP1/U2F authenticators.

Since the new language requires that the user authorizes returning the CTAP2_ERR_CREDENTIAL_EXCLUDED error, returning this error early no longer constitutes an undesirable information leak - because the user has clearly indicated consent to share the information that would be leaked. Making this error distinguishable enables the RP to detect if the user attempts to register an authenticator they have already registered, and help them retry with a different authenticator.

[ctap2-public]: https://fidoalliance.org/specs/fido-v2.0-rd-20170927/fido-client-to-authenticator-protocol-v2.0-rd-20170927.html#h3_authenticatorMakeCredential
[invalidstateerror]: https://heycam.github.io/webidl/#invalidstateerror

See https://github.com/w3c/webauthn/pull/809

Received on Monday, 19 February 2018 17:23:47 UTC