[w3c/webauthn] 776b7b: Determine appid extension output after authenticat... from Emil Lundberg on 2019-03-07 (public-webauthn@w3.org from March 2019)

From: Emil Lundberg <noreply@github.com>
Date: Thu, 07 Mar 2019 19:51:58 +0000 (UTC)
To: public-webauthn@w3.org
Message-ID: <w3c/webauthn/push/refs/heads/master/26cf7c-4de25b@github.com>

  Branch: refs/heads/master
  Home:   https://github.com/w3c/webauthn
  Commit: 776b7b14d6e8f64b101db7e92318c877c588e861
      https://github.com/w3c/webauthn/commit/776b7b14d6e8f64b101db7e92318c877c588e861
  Author: Emil Lundberg <emil@yubico.com>
  Date:   2019-01-18 (Fri, 18 Jan 2019)

  Changed paths:
    M index.bs

  Log Message:
  -----------
  Determine appid extension output after authenticator returns

This fixes the following corner case:

1. The user has a U2F authenticator A plugged in, which has been
   registered via the U2F API (i.e., with AppID).
2. The user has a CTAP2 authenticator B plugged in, which has been
   registered via the WebAuthn API (i.e., with RP ID).
3. The user initiates an authentication ceremony and the RP sets the
   `appid` extension.
4. The client runs the above client processing and discovers that
   authenticator A does not contain a credential for the RP ID, and
   retries with the AppID. This succeeds, and the client sets the
   extension's _output_ to `true`.
5. The client initiates authentication requests with both authenticator
   A and B, which both prompt the user for consent.
6. The user confirms user consent on authenticator B, which generates an
   assertion for the RP ID.
7. The client returns the assertion for the RP ID and the `appid` client
   extension output set to `true`.

So it was possible for the extension output to end up being `true` even
though the RP should verify the assertion using the RP ID and not the
AppID.


  Commit: 4de25bb480f30dbca8e83381637a5e04872484fd
      https://github.com/w3c/webauthn/commit/4de25bb480f30dbca8e83381637a5e04872484fd
  Author: Emil Lundberg <emil@emlun.se>
  Date:   2019-03-07 (Thu, 07 Mar 2019)

  Changed paths:
    M index.bs

  Log Message:
  -----------
  Merge pull request #1143 from w3c/issue-1034-appid-output-corner-case

Determine appid extension output after authenticator returns


Compare: https://github.com/w3c/webauthn/compare/26cf7c62581e...4de25bb480f3

Received on Thursday, 7 March 2019 19:52:28 UTC