- From: Mike Jones via GitHub <sysbot+gh@w3.org>
- Date: Wed, 21 Feb 2018 22:34:17 +0000
- To: public-webauthn@w3.org
selfissued has just merged emlun's pull request 809 for https://github.com/w3c/webauthn: == Plumb CTAP's authorized "already registered" error through to RP == This fixes #806, and relates to #184, #204 and #777. To do before merging --- - [x] Review choice of `DOMException` error name I'm not sure [`InvalidStateError`][invalidstateerror] is the most suitable error name for this. Suggestions for other error names are very welcome. Background --- The [latest publicly published draft of CTAP2][ctap2-public] lists the first step of the `authenticatorMakeCredential` command as >1. If the excludeList parameter is present and contains a credential ID that is present on this authenticator, terminate this procedure and return error code CTAP2_ERR_CREDENTIAL_EXCLUDED. In WebAuthn this error condition is currently hidden from the RP, by making it indistinguishable from the operation timing out, in order to not leak potentially identifying information without the user's consent. However as @leshi points out in #806, the current internal draft of CTAP2 instead lists this first step as >1. If the excludeList parameter is present and contains a credential ID that is present on this authenticator and bound to the specified rpId, wait for user presence, then terminate this procedure and return error code CTAP2_ERR_CREDENTIAL_EXCLUDED. User presence check is required for CTAP2 authenticators before the RP gets told that the token is already registered to behave similarly to CTAP1/U2F authenticators. Since the new language requires that the user authorizes returning the CTAP2_ERR_CREDENTIAL_EXCLUDED error, returning this error early no longer constitutes an undesirable information leak - because the user has clearly indicated consent to share the information that would be leaked. Making this error distinguishable enables the RP to detect if the user attempts to register an authenticator they have already registered, and help them retry with a different authenticator. [ctap2-public]: https://fidoalliance.org/specs/fido-v2.0-rd-20170927/fido-client-to-authenticator-protocol-v2.0-rd-20170927.html#h3_authenticatorMakeCredential [invalidstateerror]: https://heycam.github.io/webidl/#invalidstateerror <!-- This comment and the below content is programatically generated. You may add a comma-separated list of anchors you'd like a direct link to below (e.g. #idl-serializers, #idl-sequence): Don't remove this comment or modify anything below this line. If you don't want a preview generated for this pull request, just replace the whole of this comment's content by "no preview" and remove what's below. --> *** <a href="https://pr-preview.s3.amazonaws.com/emlun/webauthn/pull/809.html" title="Last updated on Feb 21, 2018, 7:26 PM GMT (5f96e03)">Preview</a> | <a href="https://pr-preview.s3.amazonaws.com/w3c/webauthn/809/05335d4...emlun:5f96e03.html" title="Last updated on Feb 21, 2018, 7:26 PM GMT (5f96e03)">Diff</a> See https://github.com/w3c/webauthn/pull/809
Received on Wednesday, 21 February 2018 22:34:25 UTC