[webauthn] Differentiate when devicePubKey unsupported vs. failed? (#1846)

emlun has just created a new issue for https://github.com/w3c/webauthn:

== Differentiate when devicePubKey unsupported vs. failed? ==
[§10.2.2. Device-bound public key extension (devicePubKey)](https://w3c.github.io/webauthn/#sctn-device-publickey-extension) currently reads (emphasis added):

> If the [authenticator](https://w3c.github.io/webauthn/#authenticator) is incapable of generating a [hardware-bound device key pair](https://w3c.github.io/webauthn/#hardware-bound-device-key-pair), **or the registration or authentication operation fails** for any reason, this extension is ignored and no [hardware-bound device key pair](https://w3c.github.io/webauthn/#hardware-bound-device-key-pair) is created. In this case, there is **no [devicePubKey](https://w3c.github.io/webauthn/#devicepubkey) extension output** generated.

However, [§9.2. Defining Extensions](https://w3c.github.io/webauthn/#sctn-extension-specification) reads (emphasis added):

> Similarly, **any extension that requires authenticator processing MUST return an [authenticator extension output](https://w3c.github.io/webauthn/#authenticator-extension-output)** to let the [Relying Party](https://w3c.github.io/webauthn/#relying-party) know that the extension was honored by the authenticator. If an extension does not otherwise require any result values, it SHOULD be defined as returning a JSON Boolean [client extension output](https://w3c.github.io/webauthn/#client-extension-output) result, set to true to signify that the extension was understood and processed. **Likewise, any [authenticator extension](https://w3c.github.io/webauthn/#authenticator-extension) that does not otherwise require any result values MUST return a value** and SHOULD return a CBOR Boolean [authenticator extension output](https://w3c.github.io/webauthn/#authenticator-extension-output) result, set to true to signify that the extension was understood and processed.

I think it is appropriate that the extension returns no output when not supported or when the authenticator is incapable. But in the spirit of the above requirements and guidelines, there should probably be some way to differentiate between that and the case when the extension is supported but processing fails for some reason.

## Proposed Change

(The following assumes that PR #1845 will be merged)

- Change the authenticator extension output type from

  ```
  $$extensionOutput //= (
      devicePubKey: attObjForDevicePublicKey,
  )
  ```
  to
  ```
  $$extensionOutput //= (
      devicePubKey: attObjForDevicePublicKey / false,
  )
  ```
  and when authenticator extension processing fails for any reason (other than the authenticator being incapable), return `false` as the authenticator extension output and include no unsigned output in the unsigned extensions map.

  Essentially, a `false` output would indicate that the extension might succeed on that device if the RP retries the request at a later time, while an absent output would indicate the extension is unlikely to succeed if retried.

- When the authenticator extension output is `false`, return an empty object as the client extension output (i.e., let `signature` be `undefined`). [Any dictionary member that is not required is optional](https://webidl.spec.whatwg.org/#dictionary-member-optional), so this requires no change to the WebIDL.


Please view or discuss this issue at https://github.com/w3c/webauthn/issues/1846 using your GitHub account


-- 
Sent via github-notify-ml as configured in https://github.com/w3c/github-notify-ml-config

Received on Friday, 27 January 2023 12:08:39 UTC