[webauthn] new commits pushed by agl

The following commits were just pushed by agl to https://github.com/w3c/webauthn:

* PRF extension.

Some applications such as password managers have requested the ability
to associate a symmetric key with a credential. The CTAP2 `hmac-secret`
extension allows something very like this, and is already widely
deployed. The limitation is that it's not possible to get an HMAC output
during registration because the extension only provides outputs for
assertions and it requires user presence. That gave me pause and we
could, instead, use the new credBlob extension. But I think the utility
of being able to rotate keys, and having existing hardware support, is
compelling enough and we'll have to see whether RPs can tolerate needing
two touches to setup.
  by Adam Langley

* Several updates to the PRF extension:

  · Now possible to pass in a set of PRF inputs, per-credential ID, when
    getting an assertion.
  · Inputs are now a structure rather than a list that had text
    specifying the valid lengths.
  · Wording updated to note that some authenticators may have only a
    single PRF.
  by Adam Langley

* Expand upon the example a little
  by Adam Langley

* Apply emlun's suggestion

Co-authored-by: Emil Lundberg <emil@emlun.se>
  by Adam Langley

* Address emlun's comments
  by Adam Langley

* Reflect emlun's comments.

   · Drop the `enable` member and use presence of `prf` to enable.
   · Make the inputs ArrayBuffers and merge the two dictionaries.
  by Adam Langley

* Apply emlun's suggestions

Co-authored-by: Emil Lundberg <emil@emlun.se>
  by Adam Langley

* Address a couple of emlun's comments
  by Adam Langley

* Several minor updates.

The handling of userVerification by RPs needed to be updated. For
example, even if they consistently specified “discouraged” for both
create() and get(), if they also set requireResidentKey then Chroem, for
one, will force UV during create. Thus RPs that are using a future CTAP
extension to evaluate the PRFs during create will have to inspect the
authenticator data to learn which PRF the output is from.

Otherwise, this tweaks some corner cases, like whether an empty
extension is echoed in an assertion if no keys were recognised in the
  by Adam Langley

* Apply suggestions from code review

Co-authored-by: Emil Lundberg <emil@emlun.se>
  by Adam Langley

* Address emlun's comments.
  by Adam Langley

* Always echo the extension
  by Adam Langley

* Merge pull request #1424 from agl/prf

PRF extension.
  by Adam Langley

Received on Wednesday, 1 July 2020 19:07:55 UTC