Re: [webauthn] Indicate resident key credential "preferred" during registration and find out what the authenticator offered (#991) from Emil Lundberg via GitHub on 2019-03-26 (public-webauthn@w3.org from March 2019)

From: Emil Lundberg via GitHub <sysbot+gh@w3.org>
Date: Tue, 26 Mar 2019 15:09:36 +0000
To: public-webauthn@w3.org
Message-ID: <issue_comment.created-476693460-1553612975-sysbot+gh@w3.org>

I think the `forbidden` value requires a breaking change to the authenticator API.

Currently the client simply forwards the `options.authenticatorSelection.requireResidentKey` (or `false` if not set) to the [`authenticatorMakeCredential`][amc] operation. `true` means the authenticator MUST create a client-side-resident credential, and `false` means the authenticator MAY create a client-side- or a server-side-resident credential at its discretion.

PR #1191 as currently written adds some logic where the client will contextually ignore authenticators based on their characteristics, but still ultimately sends the same [`requireResidentKey`][effreq] parameter to [`authenticatorMakeCredential`][amc]. This is probably the best we can do without breaking the authenticator API. However, when the authenticator is capable of both client-side- and server-side-resident credentials, then the existing Boolean `requireResidentKey` parameter to [`authenticatorMakeCredential`][amc] doesn't capture the requirement that the authenticator MUST NOT create a client-side-resident credential.

So I think we need to either

1. break the authenticator API, by introducing a new parameter that replaces `requireResidentKey`, or
2. drop the `forbidden` value.

(1) obviously has the downside of requiring change to CTAP as well, but it also comes with additional benefits for `preferred` and `indifferent`, as authenticators capable of both storage modalities can then decide based on context. For example, an authenticator with limited storage space could create a resident credential when `preferred` if there are 10 or more storage slots available.

Thoughts on that?

[amc]: https://w3c.github.io/webauthn/#op-make-cred
[effreq]: https://pr-preview.s3.amazonaws.com/sbweeden/webauthn/pull/1191.html#effective-resident-key-requirement-for-credential-creation

--
GitHub Notification of comment by emlun
Please view or discuss this issue at https://github.com/w3c/webauthn/issues/991#issuecomment-476693460 using your GitHub account

Received on Tuesday, 26 March 2019 15:09:38 UTC