W3C home > Mailing lists > Public > public-webauthn@w3.org > July 2020

[webauthn] new commits pushed by agl

From: Adam Langley via GitHub <sysbot+gh@w3.org>
Date: Wed, 01 Jul 2020 19:07:54 +0000
To: public-webauthn@w3.org
Message-ID: <push-4523af2807e7ff1ab000cf89ee319c918d68df41-1593630472-sysbot+gh@w3.org>

The following commits were just pushed by agl to https://github.com/w3c/webauthn:

* PRF extension.

Some applications such as password managers have requested the ability
to associate a symmetric key with a credential. The CTAP2 `hmac-secret`
extension allows something very like this, and is already widely
deployed. The limitation is that it's not possible to get an HMAC output
during registration because the extension only provides outputs for
assertions and it requires user presence. That gave me pause and we
could, instead, use the new credBlob extension. But I think the utility
of being able to rotate keys, and having existing hardware support, is
compelling enough and we'll have to see whether RPs can tolerate needing
two touches to setup.
  by Adam Langley
https://github.com/w3c/webauthn/commit/46a5c20d273bd69b71071ff384036592bddd61c5

* Several updates to the PRF extension:

  · Now possible to pass in a set of PRF inputs, per-credential ID, when
    getting an assertion.
  · Inputs are now a structure rather than a list that had text
    specifying the valid lengths.
  · Wording updated to note that some authenticators may have only a
    single PRF.
  by Adam Langley
https://github.com/w3c/webauthn/commit/84d56ffdb8ffe8322128c488ddd76ea114629918

* Expand upon the example a little
  by Adam Langley
https://github.com/w3c/webauthn/commit/ff73507a81b0c053557753b0b511eb1c9c73d251

* Apply emlun's suggestion

Co-authored-by: Emil Lundberg <emil@emlun.se>
  by Adam Langley
https://github.com/w3c/webauthn/commit/4484d3f606ed021166c18714e69310d677fc9cd0

* Address emlun's comments
  by Adam Langley
https://github.com/w3c/webauthn/commit/ff3cf6c29c761e39454a5359aeebc25bb2516608

* Reflect emlun's comments.

   · Drop the `enable` member and use presence of `prf` to enable.
   · Make the inputs ArrayBuffers and merge the two dictionaries.
  by Adam Langley
https://github.com/w3c/webauthn/commit/5395c0b7d387503c03e1209ac84fe1e4b5efa77b

* Apply emlun's suggestions

Co-authored-by: Emil Lundberg <emil@emlun.se>
  by Adam Langley
https://github.com/w3c/webauthn/commit/d4962148fc23aa7987567869a47087f4fd8e91d8

* Address a couple of emlun's comments
  by Adam Langley
https://github.com/w3c/webauthn/commit/3cf037fccc33af27eb9701ca07fafe16f8a37f34

* Several minor updates.

The handling of userVerification by RPs needed to be updated. For
example, even if they consistently specified “discouraged” for both
create() and get(), if they also set requireResidentKey then Chroem, for
one, will force UV during create. Thus RPs that are using a future CTAP
extension to evaluate the PRFs during create will have to inspect the
authenticator data to learn which PRF the output is from.

Otherwise, this tweaks some corner cases, like whether an empty
extension is echoed in an assertion if no keys were recognised in the
input.
  by Adam Langley
https://github.com/w3c/webauthn/commit/f9b09ffc891919fb5655c10294fc54fccfe7250c

* Apply suggestions from code review

Co-authored-by: Emil Lundberg <emil@emlun.se>
  by Adam Langley
https://github.com/w3c/webauthn/commit/10e91362e71ab4a45fe44a2fb3b16bdaf0ea3a77

* Address emlun's comments.
  by Adam Langley
https://github.com/w3c/webauthn/commit/b26ca6622dd9b419859b08bf28917b3c76780d2c

* Always echo the extension
  by Adam Langley
https://github.com/w3c/webauthn/commit/b036d140629068b9982702e6bd889dc5a759ce3d

* Merge pull request #1424 from agl/prf

PRF extension.
  by Adam Langley
https://github.com/w3c/webauthn/commit/4523af2807e7ff1ab000cf89ee319c918d68df41
Received on Wednesday, 1 July 2020 19:07:55 UTC

This archive was generated by hypermail 2.4.0 : Wednesday, 1 July 2020 19:07:56 UTC