- From: Emil Lundberg via GitHub <sysbot+gh@w3.org>
- Date: Wed, 03 Apr 2019 20:42:19 +0000
- To: public-webauthn@w3.org
The following commits were just pushed by emlun to https://github.com/w3c/webauthn: * Note that appid should be set to the previously used AppID by Emil Lundberg https://github.com/w3c/webauthn/commit/486eb7b12fb443c4eab6ae8795d81c8f27d48710 * Remove extraneous newline by Emil Lundberg https://github.com/w3c/webauthn/commit/dafc308339f5e3875134ecb5d8b3dd87a9b67b26 * Add examples of authenticator types to Authenticator definition by Emil Lundberg https://github.com/w3c/webauthn/commit/a68031ae0bf89875788289bc2b537e29ede993e1 * Let requireUserPresence always be true in authenticator operations This fixes an oversight in commit 7f831e3c7ebf669041c6413acc8005c3efa0eb8b which causes it to be technically allowed for the authenticator to return (UV = 1, UP = 0), though the RP operations as currently specified would not accept such a response. by Emil Lundberg https://github.com/w3c/webauthn/commit/d9de1254080f44244954f378828046108911afd1 * Determine appid extension output after authenticator returns This fixes the following corner case: 1. The user has a U2F authenticator A plugged in, which has been registered via the U2F API (i.e., with AppID). 2. The user has a CTAP2 authenticator B plugged in, which has been registered via the WebAuthn API (i.e., with RP ID). 3. The user initiates an authentication ceremony and the RP sets the `appid` extension. 4. The client runs the above client processing and discovers that authenticator A does not contain a credential for the RP ID, and retries with the AppID. This succeeds, and the client sets the extension's _output_ to `true`. 5. The client initiates authentication requests with both authenticator A and B, which both prompt the user for consent. 6. The user confirms user consent on authenticator B, which generates an assertion for the RP ID. 7. The client returns the assertion for the RP ID and the `appid` client extension output set to `true`. So it was possible for the extension output to end up being `true` even though the RP should verify the assertion using the RP ID and not the AppID. by Emil Lundberg https://github.com/w3c/webauthn/commit/776b7b14d6e8f64b101db7e92318c877c588e861 * Fix incorrect description of AuthenticatorAttachment Fixes #1153 See https://github.com/w3c/webauthn/issues/1153 by Emil Lundberg https://github.com/w3c/webauthn/commit/9e72ec30ca11f8b23e9f09c28daa635f4171b77b * Move AuthenticatorAttachment description to before IDL definition For consistency with other IDL definition sections. by Emil Lundberg https://github.com/w3c/webauthn/commit/eae2c22f5bf8ba95e3c60de85bd954c5e13915ec * Remove outdated hypothetical text addition by Emil Lundberg https://github.com/w3c/webauthn/commit/d16d62204030f6757f8680d8362dbb261d0ae4f8 * Merge pull request #1131 from w3c/issue-1128-authenticator-examples Add examples of authenticator types to Authenticator definition by Emil Lundberg https://github.com/w3c/webauthn/commit/7bc2f0366c10e44d90390f2c8942738ff2759625 * Clarify relationship to trust path in RP registration step 16 by Emil Lundberg https://github.com/w3c/webauthn/commit/fca27b3cd5a1cbf610063193aa9e6abd7a6c5c8e * Apply clarification to ECDAA as well by Emil Lundberg https://github.com/w3c/webauthn/commit/b175880e638b2b8803c2371758c1b1f4f5463e1a * Merge pull request #1140 from w3c/issue-1123-uv-up Let requireUserPresence always be true in authenticator operations by J.C. Jones https://github.com/w3c/webauthn/commit/26cf7c62581ec913a06be4eb9ea94807a0468a32 * Merge pull request #1143 from w3c/issue-1034-appid-output-corner-case Determine appid extension output after authenticator returns by Emil Lundberg https://github.com/w3c/webauthn/commit/4de25bb480f30dbca8e83381637a5e04872484fd * Merge pull request #1118 from w3c/appid-note Note that appid should be set to the previously used AppID by Adam Langley https://github.com/w3c/webauthn/commit/11126e87846c1677f6f5bf56f33086b875ea5e66 * Move Angelo Liao to the Former Editors list (#1172) by Mike Jones https://github.com/w3c/webauthn/commit/909b3c267babc181cdfc5d3aaf8b5033c5337703 * update registries draft per issue #1176 (#1177) * this is rev -02 of this Internet-Draft: * update JeffH's affiliation * add registry initialization instructions, update WebAuthn spec citation * fixing up various things, add doc history entry * provide erefs to dfns for attstn stmt fmt and extns idents, thx Giri! by =JeffH https://github.com/w3c/webauthn/commit/3fc3b1e8a71bf3a9962e7257ffcc0789dcfae023 * Allow authenticators to do None instead of Self attestation See issue #978 https://github.com/w3c/webauthn/issues/978 by Emil Lundberg https://github.com/w3c/webauthn/commit/88695f49408f27b0da57fcdcafa737f6d53cf5f3 * fixup registries internet-draft's abstract (#1181) * update JeffH's affiliation * add registry initialization instructions, update WebAuthn spec citation * fixing up various things, add doc history entry * provide erefs to dfns for attstn stmt fmt and extns idents, thx Giri! * this is rev -02 * fix abstract * fix various editorial items * regen .html & .txt files from .xml by =JeffH https://github.com/w3c/webauthn/commit/ce2b94710b78395a8d8ba55ae94d9904b1741067 * Change prohibitions on PII in user handles to MUST. Fixes #1146 by Adam Langley https://github.com/w3c/webauthn/commit/5fd36c6c8c180631c6b93192bd65190533aa61a5 * Update SafetyNet attestation description (#1170) * Update SafetyNet attestation description Use official SafetyNet documentation as a reference rather than trying to keep this text up to date. Also update links to documentation * Clarify "ver" in safetynet Explain what do to do with "ver" during verification * Fix typo * fix more typoos * typo fix * Updated wording around 'ver' by Alexei Czeskis https://github.com/w3c/webauthn/commit/66515ffaf9d5d4cfcc2e882d1852434f4f333f8a * Merge pull request #1185 from agl/issue1146 Change prohibitions on PII in user handles to MUST. by Adam Langley https://github.com/w3c/webauthn/commit/7c793d2e0355b245d184a0de172fda197e0292dd * Merge pull request #1168 from w3c/issue-1167-clarify-trust-path Clarify relationship to trust path in RP registration step 16 by Emil Lundberg https://github.com/w3c/webauthn/commit/8678b43688f4f2fda83bb69586011a800160fadc * Fix typo in Authentication example by Julian Tescher https://github.com/w3c/webauthn/commit/982edc7d668ed86979179dc4bcb2a0a3a1f6ef84 * Merge pull request #1159 from w3c/issue-1153-authenticatorattachment-description Fix incorrect AuthenticatorAttachment description by Emil Lundberg https://github.com/w3c/webauthn/commit/882985377ab4b3daf3d4960bab45a8cae624fd25 * Merge pull request #1190 from jtescher/patch-1 Fix typo in Authentication example by Emil Lundberg https://github.com/w3c/webauthn/commit/871a1af48961938deeb3105a3af9ba300482579b * Merge pull request #1182 from w3c/issue-978-self-attestation-not-required Allow authenticators to do None instead of Self attestation by Emil Lundberg https://github.com/w3c/webauthn/commit/d76ddf59892c12087b18399b89bb95685671fd70 * Merge branch 'master' into link-fixes by Emil Lundberg https://github.com/w3c/webauthn/commit/703f495f5ff8093ed4015d2fa9bce02fbd41abec
Received on Wednesday, 3 April 2019 20:42:21 UTC