W3C home > Mailing lists > Public > public-webauthn@w3.org > April 2019

[webauthn] new commits pushed by equalsJeffH

From: =JeffH via GitHub <sysbot+gh@w3.org>
Date: Thu, 18 Apr 2019 19:50:56 +0000
To: public-webauthn@w3.org
Message-ID: <push-d58c4ea368c4d6d56db9644bb3a3a7be94086a6a-1555617054-sysbot+gh@w3.org>

The following commits were just pushed by equalsJeffH to https://github.com/w3c/webauthn:

* Clarify user identification in RP assertion verification operation
  by Emil Lundberg
https://github.com/w3c/webauthn/commit/175d9fc98be8d9bcc110bbe62e307ea784428cae

* Fix typo in figure 1
  by Emil Lundberg
https://github.com/w3c/webauthn/commit/66573376668da60df4b631bd3212ccae5b85cb59

* Move text in Figure 1 to within bounding box
  by Emil Lundberg
https://github.com/w3c/webauthn/commit/d0397670a6ee2a9ccd0ae926adb2eea2c5a8d215

* Use "user handle mapped to user" language in user identification step
  by Emil Lundberg
https://github.com/w3c/webauthn/commit/9f1a5d348e541cfdb03422b8d169a12cedbee851

* Add examples of how user might be identified
  by Emil Lundberg
https://github.com/w3c/webauthn/commit/c19327d6f8646f16f50a19c101140f8fcc852922

* Fix typos in get() algorithm
  by Emil Lundberg
https://github.com/w3c/webauthn/commit/24cd9df04448a794eb894eaa150a3b7467045eab

* In safetynet attestation "nonce" is base64, not base64url
  by Ackermann Yuriy
https://github.com/w3c/webauthn/commit/7b487ffdac3a49bb09d2900f9a3e5fc8de874746

* Add the word "OPTIONAL" to `userVerification` field to match surrounding style.

Previously, `userVerification` was the only optional field of `PublicKeyCredentialRequestOptions` that didn't include the word "OPTIONAL", which can suggest at first glance that this field is not optional like the other optional ones. Adding the word is simple, and should avoid potential confusion.
  by Lucas Garron
https://github.com/w3c/webauthn/commit/0225a138b9a7bb9054de4c1b276f2403e9f7d80a

* Config
  by plehegar
https://github.com/w3c/webauthn/commit/c9e08303098a0d6010b77b58e13f3c71dd843e36

* update token binding citation (#1087)

* update token binding citation

* update tokbind ref to published RFC8471
  by =JeffH
https://github.com/w3c/webauthn/commit/0c513dfd6ced48656e39c5dd7b17c2e81aa5d789

* update token binding citation (#1087)

* update token binding citation

* update tokbind ref to published RFC8471
  by =JeffH
https://github.com/w3c/webauthn/commit/5643359a906fa137a2b03c74173a95cf3f7d4f08

* update token binding citation (#1087)

* update token binding citation

* update tokbind ref to published RFC8471
  by =JeffH
https://github.com/w3c/webauthn/commit/ddbd15a9ad347a04b6639576974c60362787ead0

* update token binding citation (#1087)

* update token binding citation

* update tokbind ref to published RFC8471
  by =JeffH
https://github.com/w3c/webauthn/commit/f77a1abe9a8866168b7152f97ede0eb8e53691a3

* update token binding citation (#1087)

* update token binding citation

* update tokbind ref to published RFC8471
  by =JeffH
https://github.com/w3c/webauthn/commit/bc195aad084d73e570c581b12f866caff60ec222

* May->might (#1103)

https://github.com/w3c/webauthn/issues/1098
  by Wendy Seltzer
https://github.com/w3c/webauthn/commit/742c773cbc20b3cafa22533916d2528ff87e1361

* Clarify UP and UV flags in authenticator data section
  by Emil Lundberg
https://github.com/w3c/webauthn/commit/7afd02eac65a555f694ed3d7b7cecde51fbb104c

* Refine introduction to compliant authenticators (#1109)

* Refine introduction to compliant authenticators

* Link terms: Platform Authenticators, Roaming Authenticators

As suggested in
https://github.com/w3c/webauthn/pull/1109#pullrequestreview-175007665
  by Mike Jones
https://github.com/w3c/webauthn/commit/7b1ca9d43ac6c63fa753bd24a5446226728e21d9

* Refine FIDO Security Considerations language (#1110)
  by Mike Jones
https://github.com/w3c/webauthn/commit/44cd21e0b8049dd2ae37ba5db14f5c35b6ab7be3

* Merge pull request #1094 from lgarron/optional-userVerification

Add the word "OPTIONAL" to `userVerification` field to match surrounding style.
  by Emil Lundberg
https://github.com/w3c/webauthn/commit/b2b114164460351a3e9941daf973ee63c3ea7950

* Merge pull request #1085 from w3c/issue-1084-figure-typo

Fix typo in Figure 1
  by Emil Lundberg
https://github.com/w3c/webauthn/commit/8b5bbf56617c684c17dc750fcb51488caccea965

* Merge pull request #1113 from w3c/issue-1112-clarify-uv-up-flags

Clarify UP and UV flags in authenticator data section
  by Emil Lundberg
https://github.com/w3c/webauthn/commit/8fd57e34f23f3322dcd62a4b469fbc0c24e62112

* Note that appid should be set to the previously used AppID
  by Emil Lundberg
https://github.com/w3c/webauthn/commit/486eb7b12fb443c4eab6ae8795d81c8f27d48710

* Match text for identical verification steps

When verifying the registration response, we use different text than the identical step in verifying assertion. The hash is also referred/linked as 'RP ID Hash'  in the registration step text, rather than being referred/linked as the more helpful `rpIdHash`
  by Nick Steele
https://github.com/w3c/webauthn/commit/142cb066b67d4b9dc99e07990815645461ff6c64

* Fix typo in credential registration steps
  by Nick Steele
https://github.com/w3c/webauthn/commit/5b083f934c2a2c5989f134316245475e2777a8d3

* Merge pull request #1092 from w3c/issue-1089-extensions-argument-typo

Fix typos in get() algorithm
  by Emil Lundberg
https://github.com/w3c/webauthn/commit/2b826ef655faac81f24e92f93f78f62606bd80cb

* Merge pull request #1119 from nicksteele/patch-1

Match text for identical verification steps
  by Emil Lundberg
https://github.com/w3c/webauthn/commit/f332dfe3dc31c9c336789812a8715c9eca24c38b

* Singularize Relying Parties' to Relying Party's
  by Emil Lundberg
https://github.com/w3c/webauthn/commit/b78f82a7582ed7090a3341f079df4475fa58108b

* Clarify user identification in RP assertion verification operation (#1082)

Merging per review during 9-Jan-19 call
  by Emil Lundberg
https://github.com/w3c/webauthn/commit/c537d1ce6c9e420496ce5fcedb21393fea621baa

* Singularize Relying Parties' to Relying Party's (#1126)
  by J.C. Jones
https://github.com/w3c/webauthn/commit/d0b1603b0eae2ff0168aac4127fa4611e6171942

* Merge pull request #1120 from nicksteele/patch-2

Fix typo in credential registration steps
  by J.C. Jones
https://github.com/w3c/webauthn/commit/c3ac19bac411e7bf92d43250bf07084404c011bd

* Merge pull request #1093 from herrjemand/patch-3

In safetynet attestation "nonce" is base64, not base64url
  by J.C. Jones
https://github.com/w3c/webauthn/commit/ad9bd4708bc64a05b2d34403061414a288f0c99c

* Remove extraneous newline
  by Emil Lundberg
https://github.com/w3c/webauthn/commit/dafc308339f5e3875134ecb5d8b3dd87a9b67b26

* Add definition alias "WebAuthn Authenticator"
  by Emil Lundberg
https://github.com/w3c/webauthn/commit/d5facf08f4696a6457a7a8ec2c8caf709a15207e

* Use WebAuthn Authenticator term where appropriate

- Existing occurrences of "WebAuthn authenticator"
- First occurrence of "authenticator" in each major section
  - except section 7 because the first occurrence is in one of the
    algorithm steps.
  - except section 8 because the first occurrence is in the second
    subsection.
  - except section 10 because the first occurrence is in the extension
    definitions.
  - except section 11 because the first occurrence is in an item in a
    bullet-point list.
  - except section 12 because the first occurrence is already linked to
    "first-factor roaming authenticator".
  - except section 14 because the first occurrence is in an item in a
    bullet-point list.
  by Emil Lundberg
https://github.com/w3c/webauthn/commit/ca629756f3589c4bf17431156e13d5f362be9c21

* Add examples of authenticator types to Authenticator definition
  by Emil Lundberg
https://github.com/w3c/webauthn/commit/a68031ae0bf89875788289bc2b537e29ede993e1

* Use RFC2119 for defined extensions (#1134)
  by Philippe Le Hegaret
https://github.com/w3c/webauthn/commit/c610a95ac555ea86bb8eb52640b947bdc36e6c5d

* Let requireUserPresence always be true in authenticator operations

This fixes an oversight in commit
7f831e3c7ebf669041c6413acc8005c3efa0eb8b which causes it to be
technically allowed for the authenticator to return (UV = 1, UP = 0),
though the RP operations as currently specified would not accept such a
response.
  by Emil Lundberg
https://github.com/w3c/webauthn/commit/d9de1254080f44244954f378828046108911afd1

* Fix android-safetynet trust path
  by Emil Lundberg
https://github.com/w3c/webauthn/commit/e09147554d84e808996344879f8d52791827ceaf

* Determine appid extension output after authenticator returns

This fixes the following corner case:

1. The user has a U2F authenticator A plugged in, which has been
   registered via the U2F API (i.e., with AppID).
2. The user has a CTAP2 authenticator B plugged in, which has been
   registered via the WebAuthn API (i.e., with RP ID).
3. The user initiates an authentication ceremony and the RP sets the
   `appid` extension.
4. The client runs the above client processing and discovers that
   authenticator A does not contain a credential for the RP ID, and
   retries with the AppID. This succeeds, and the client sets the
   extension's _output_ to `true`.
5. The client initiates authentication requests with both authenticator
   A and B, which both prompt the user for consent.
6. The user confirms user consent on authenticator B, which generates an
   assertion for the RP ID.
7. The client returns the assertion for the RP ID and the `appid` client
   extension output set to `true`.

So it was possible for the extension output to end up being `true` even
though the RP should verify the assertion using the RP ID and not the
AppID.
  by Emil Lundberg
https://github.com/w3c/webauthn/commit/776b7b14d6e8f64b101db7e92318c877c588e861

* Add None attestation case to RP ops registration step 16
  by Emil Lundberg
https://github.com/w3c/webauthn/commit/1091652cbc24048c6bb2529aaa6f35d0596d627f

* Merge branch 'master' into pr-1082-user-handle-mapped
  by Emil Lundberg
https://github.com/w3c/webauthn/commit/443a5567315c47eb65d830e3d00ae6fffe732a92

* Update wording as suggested by @selfissued

See https://github.com/w3c/webauthn/pull/1091#discussion_r254050190
  by Emil Lundberg
https://github.com/w3c/webauthn/commit/10e5b47e5fa84b57665708ca70f98c802abd3df7

* update spec to Level 2 (#1156)

Ok, since we had agreement on this week's call on doing this, am merging. 
fixes #1138 #1155
  by =JeffH
https://github.com/w3c/webauthn/commit/c5c29b0eaf3cf072fca263184ab4870c13ec1e00

* Recommend minimal basic attestation batches (#1141)
  by Emil Lundberg
https://github.com/w3c/webauthn/commit/b4a6110c20e7e03b526ad798aa1c8b6adff4bb4d

* Provide transport information during registration. (#1050)

* Provide transport information during registration.

This change adds a `getTransports` method to
`AuthenticatorAttestationResponse` that returns the
`AuthenticatorTransport` used to perform a registration, as well as
other transports that the user agent believes that the authenticator
supports.

Fixes #889
Fixes #851
See also #882

* Update in light of PR discussion.

[ went ahead and merged due to no objections to doing so ]
  by Adam Langley
https://github.com/w3c/webauthn/commit/11d549048ac5e462a4f9f44499032302adb29800

* Merge pull request #1145 from w3c/issue-1136-none-attestation-policy

Add None attestation case to RP ops registration step 16
  by Emil Lundberg
https://github.com/w3c/webauthn/commit/1909b5f0d0c85b1266cc9f04e0c31094972c4f6e

* Merge pull request #1091 from w3c/pr-1082-user-handle-mapped

Use "user handle mapped to user" language in user identification step
  by Emil Lundberg
https://github.com/w3c/webauthn/commit/52d46854b4d02eddf8274ef5fdedecbe8994bf2b

* Fix incorrect description of AuthenticatorAttachment

Fixes #1153

See https://github.com/w3c/webauthn/issues/1153
  by Emil Lundberg
https://github.com/w3c/webauthn/commit/9e72ec30ca11f8b23e9f09c28daa635f4171b77b

* Move AuthenticatorAttachment description to before IDL definition

For consistency with other IDL definition sections.
  by Emil Lundberg
https://github.com/w3c/webauthn/commit/eae2c22f5bf8ba95e3c60de85bd954c5e13915ec

* Remove outdated hypothetical text addition
  by Emil Lundberg
https://github.com/w3c/webauthn/commit/d16d62204030f6757f8680d8362dbb261d0ae4f8

* Merge branch 'master' into issue-1128-webauthn-authenticator
  by Emil Lundberg
https://github.com/w3c/webauthn/commit/df3eb9fd540886b943c60496d2d593c8601a0d33

* Merge pull request #1130 from w3c/issue-1128-webauthn-authenticator

Add "Webauthn Authenticator" definition alias
  by Emil Lundberg
https://github.com/w3c/webauthn/commit/b387399a38862919a7e3b2b3fb4c354785196e91

* Merge pull request #1142 from w3c/issue-1132-android-safetynet-trust-path

Fix android-safetynet trust path
  by Emil Lundberg
https://github.com/w3c/webauthn/commit/4c074692cdf1da862d494ca35c0c2b93dcad8258

* Fixed various links, including new TR link
  by plehegar
https://github.com/w3c/webauthn/commit/63640b3957d23a080462a6df4b723711bda7cfc9

* Merge pull request #1131 from w3c/issue-1128-authenticator-examples

Add examples of authenticator types to Authenticator definition
  by Emil Lundberg
https://github.com/w3c/webauthn/commit/7bc2f0366c10e44d90390f2c8942738ff2759625

* Clarify relationship to trust path in RP registration step 16
  by Emil Lundberg
https://github.com/w3c/webauthn/commit/fca27b3cd5a1cbf610063193aa9e6abd7a6c5c8e

* Apply clarification to ECDAA as well
  by Emil Lundberg
https://github.com/w3c/webauthn/commit/b175880e638b2b8803c2371758c1b1f4f5463e1a

* Merge pull request #1140 from w3c/issue-1123-uv-up

Let requireUserPresence always be true in authenticator operations
  by J.C. Jones
https://github.com/w3c/webauthn/commit/26cf7c62581ec913a06be4eb9ea94807a0468a32

* Merge pull request #1143 from w3c/issue-1034-appid-output-corner-case

Determine appid extension output after authenticator returns
  by Emil Lundberg
https://github.com/w3c/webauthn/commit/4de25bb480f30dbca8e83381637a5e04872484fd

* Merge pull request #1118 from w3c/appid-note

Note that appid should be set to the previously used AppID
  by Adam Langley
https://github.com/w3c/webauthn/commit/11126e87846c1677f6f5bf56f33086b875ea5e66

* Move Angelo Liao to the Former Editors list (#1172)
  by Mike Jones
https://github.com/w3c/webauthn/commit/909b3c267babc181cdfc5d3aaf8b5033c5337703

*  update registries draft per issue #1176 (#1177)


* this is rev -02 of this Internet-Draft:

* update JeffH's affiliation

* add registry initialization instructions, update WebAuthn spec citation

* fixing up various things, add doc history entry

* provide erefs to dfns for attstn stmt fmt and extns idents, thx Giri!
  by =JeffH
https://github.com/w3c/webauthn/commit/3fc3b1e8a71bf3a9962e7257ffcc0789dcfae023

* Allow authenticators to do None instead of Self attestation

See issue #978

https://github.com/w3c/webauthn/issues/978
  by Emil Lundberg
https://github.com/w3c/webauthn/commit/88695f49408f27b0da57fcdcafa737f6d53cf5f3

* fixup registries internet-draft's abstract (#1181)

* update JeffH's affiliation

* add registry initialization instructions, update WebAuthn spec citation

* fixing up various things, add doc history entry

* provide erefs to dfns for attstn stmt fmt and extns idents, thx Giri!

* this is rev -02

* fix abstract

* fix various editorial items

* regen .html & .txt files from .xml
  by =JeffH
https://github.com/w3c/webauthn/commit/ce2b94710b78395a8d8ba55ae94d9904b1741067

* Update isUVPAA() scenario to agree with spec
  by Emil Lundberg
https://github.com/w3c/webauthn/commit/f1b55b0a218d97ed015ceb7212a9b7ddacebfc05

* Fix grammar in section introduction
  by Emil Lundberg
https://github.com/w3c/webauthn/commit/bd67d132b143bfed4e55bd32ed3435d36bc58402

* Change prohibitions on PII in user handles to MUST.

Fixes #1146
  by Adam Langley
https://github.com/w3c/webauthn/commit/5fd36c6c8c180631c6b93192bd65190533aa61a5

* Update SafetyNet attestation description (#1170)

* Update SafetyNet attestation description

Use official SafetyNet documentation as a reference rather than trying to keep this text up to date.
Also update links to documentation

* Clarify "ver" in safetynet

Explain what do to do with "ver" during verification

* Fix typo

* fix more typoos

* typo fix

* Updated wording around 'ver'
  by Alexei Czeskis
https://github.com/w3c/webauthn/commit/66515ffaf9d5d4cfcc2e882d1852434f4f333f8a

* Merge pull request #1185 from agl/issue1146

Change prohibitions on PII in user handles to MUST.
  by Adam Langley
https://github.com/w3c/webauthn/commit/7c793d2e0355b245d184a0de172fda197e0292dd

* Merge pull request #1168 from w3c/issue-1167-clarify-trust-path

Clarify relationship to trust path in RP registration step 16
  by Emil Lundberg
https://github.com/w3c/webauthn/commit/8678b43688f4f2fda83bb69586011a800160fadc

* Revert change to new TR link

As suggested in
https://github.com/w3c/webauthn/pull/1161#issuecomment-474941638
  by Emil Lundberg
https://github.com/w3c/webauthn/commit/b8940315474bd52901df94a61532e5783128d977

* Fix typo in Authentication example
  by Julian Tescher
https://github.com/w3c/webauthn/commit/982edc7d668ed86979179dc4bcb2a0a3a1f6ef84

* Linked attestation statement format term in Section 8.1 to its definition, and linked to section 8.1 from 6.4. Fixes #1179.
  by James Barclay
https://github.com/w3c/webauthn/commit/191e67897c8513c64dec3c96a74364c891ab1906

* Created linkable definition for WebAuthn Extensions and linked to it throughout the spec. Fixes #1180.
  by James Barclay
https://github.com/w3c/webauthn/commit/a946a09e07b59daef158b0c171baef7ff3563796

* Merge pull request #1159 from w3c/issue-1153-authenticatorattachment-description

Fix incorrect AuthenticatorAttachment description
  by Emil Lundberg
https://github.com/w3c/webauthn/commit/882985377ab4b3daf3d4960bab45a8cae624fd25

* Merge pull request #1190 from jtescher/patch-1

Fix typo in Authentication example
  by Emil Lundberg
https://github.com/w3c/webauthn/commit/871a1af48961938deeb3105a3af9ba300482579b

* Merge pull request #1186 from w3c/link-fixes-no-tr

Revert change to new TR link
  by Emil Lundberg
https://github.com/w3c/webauthn/commit/e02924d96d1579300df21027427e4335d8532adf

* Merge pull request #1182 from w3c/issue-978-self-attestation-not-required

Allow authenticators to do None instead of Self attestation
  by Emil Lundberg
https://github.com/w3c/webauthn/commit/d76ddf59892c12087b18399b89bb95685671fd70

* Merge branch 'master' into link-fixes
  by Emil Lundberg
https://github.com/w3c/webauthn/commit/703f495f5ff8093ed4015d2fa9bce02fbd41abec

* Addressed @emlun's comments about additional occurrences of WebAuthn extensions.
  by James Barclay
https://github.com/w3c/webauthn/commit/bd638f382a85363f754be7e33892ccf6de121d21

* Addressed @equalsJeffH's comment about linking to the packed attestation statement format, rather than the definition of attestation statement formats.
  by James Barclay
https://github.com/w3c/webauthn/commit/c3e38641d39113eec8d75a16fb55bba08f41560a

* Merge pull request #1161 from w3c/link-fixes

Fixed various links, including new TR link
  by Emil Lundberg
https://github.com/w3c/webauthn/commit/49fe1bb791362c271b95573924aad75b69797a73

* Point out that isUVPAA example ends if isUVPAA returns false
  by Emil Lundberg
https://github.com/w3c/webauthn/commit/07b58d51007d33dca4e620b2c3d1a2e6346d0775

* Merge pull request #1184 from w3c/issue-1178-update-uvpaa-scenario

 Update isUVPAA() scenario to agree with spec
  by Emil Lundberg
https://github.com/w3c/webauthn/commit/2a68f5484246ddd44bb98c9a25568fb902e2159b

* Merge pull request #1192 from futureimperfect/link-attestation-statment-format

Linked attestation statement format term in Section 8.1 to its defini…
  by Emil Lundberg
https://github.com/w3c/webauthn/commit/0cd0ca30c16d8408d3d3d47d132f29950a22a2ac

* Merge pull request #1193 from futureimperfect/create-linkable-def-for-webauthn-exts

Created linkable definition for WebAuthn Extensions and linked to it …
  by Emil Lundberg
https://github.com/w3c/webauthn/commit/5d11e6255b85665d9faa8763e1de8c0fbac78826

* Merge branch 'master' into issue-1088-leap-of-faith
  by JeffH
https://github.com/w3c/webauthn/commit/d58c4ea368c4d6d56db9644bb3a3a7be94086a6a
Received on Thursday, 18 April 2019 19:50:58 UTC

This archive was generated by hypermail 2.4.0 : Friday, 17 January 2020 18:59:04 UTC