W3C home > Mailing lists > Public > public-webauthn@w3.org > March 2019

Re: [webauthn] Indicate resident key credential "preferred" during registration and find out what the authenticator offered (#991)

From: Shane Weeden via GitHub <sysbot+gh@w3.org>
Date: Thu, 14 Mar 2019 00:55:01 +0000
To: public-webauthn@w3.org
Message-ID: <issue_comment.created-472662528-1552524900-sysbot+gh@w3.org>
In follow-up from the working group call on March 13 and other discussion here, the semantics of the Web IDL changes proposed by @emlun seem agreeable. There was also a preference amongst the majority of those who spoke up to use **extensions** to communicate what the authenticator actually used rather than a flags bit. This comes with the caveat that there will never be a guarantee that the RP will know if a resident key credential has been provisioned because all extensions are OPTIONAL. The hope is that the proposal is really useful and will therefore be adopted by clients and authenticators.

The indication of resident/non-resident key type is really only needed as a registration extension, but might be useful also as an authentication extension as it could allow RP's to discover the type of credential for existing registrations that were created under L1. 

As such, I'll propose the following extension definition which covers both the create() and get() flows. If there is objection to using it on get(), then that part can be easily dropped. The extension is designed in a way such that if there are any other credential properties that might be of use, these can be included in the outputs dictionary. I've defined the extension as an authenticator extension as it is undefined as to whether or not the client has any way (other than for platform authenticators) to know what the authenticator provisioned or used. Clients may augment the extension output if they do have this knowledge. If anyone has further input on this, please chime in - I'm hoping to use the IDL updates proposed by @emlun plus this extension to form the basis of a PR for this issue.


### 10.10 Credential Properties Extension

This extension allows WebAuthn Relying Parties to query additional properties of the authenticator's credential created during a registration ceremony, or used during an authentication ceremony. 

**Extension identifier**
    credProps

**Operation applicability**
    Registration and Authentication

**Client extension input**
    The Boolean value `true` to indicate that this extension is requested by the Relying Party.

```
    partial dictionary AuthenticationExtensionsClientInputs {
        boolean credProps;
    };
```

**Client extension processing**
    None, except creating the authenticator extension input from the client extension input.

**Client extension output**
    Returns the dictionary of discovered credential properties as reported by either the authenticator itself or by the client if known, such as when a platform authenticator is used. This dictionary is initially defined with one credential property `rk` to indicate if the authenticator has created or used a resident key credential. Other credential properties MAY be returned in this extension.
```
    partial dictionary CredentialPropertiesOutput {
    	boolean rk;
    };

    partial dictionary AuthenticationExtensionsClientOutputs {
        CredentialPropertiesOutput credProps;
    };
```

**Authenticator extension input**
    The Boolean value true, encoded in CBOR (major type 7, value 21).

**Authenticator extension processing**
	None, other than to report on credential properties in the output.

**Authenticator extension output**
    The authenticator sets the authenticator extension output credProps of type `CredentialPropertiesOutput` encoded as a CBOR map.


-- 
GitHub Notification of comment by sbweeden
Please view or discuss this issue at https://github.com/w3c/webauthn/issues/991#issuecomment-472662528 using your GitHub account
Received on Thursday, 14 March 2019 00:55:05 UTC

This archive was generated by hypermail 2.4.0 : Friday, 17 January 2020 18:59:03 UTC