- From: philomathic_life via GitHub <sysbot+gh@w3.org>
- Date: Fri, 16 Aug 2024 23:58:40 +0000
- To: public-webauthn@w3.org
zacknewman has just created a new issue for https://github.com/w3c/webauthn: == Add `mediation` to `PublicKeyCredentialJSON` == [WebAuthn Relying Party Operations](https://w3c.github.io/webauthn/#sctn-rp-operations) states (emphasis added): > Upon successful execution of [`create()`](https://w3c.github.io/webappsec-credential-management/#dom-credentialscontainer-create) or [`get()`](https://w3c.github.io/webappsec-credential-management/#dom-credentialscontainer-get), the [Relying Party](https://w3c.github.io/webauthn/#relying-party)'s script receives a [`PublicKeyCredential`](https://w3c.github.io/webauthn/#publickeycredential) containing an [`AuthenticatorAttestationResponse`](https://w3c.github.io/webauthn/#authenticatorattestationresponse) or [`AuthenticatorAssertionResponse`](https://w3c.github.io/webauthn/#authenticatorassertionresponse) structure, respectively, from the client. It must then deliver the contents of this structure to the [Relying Party](https://w3c.github.io/webauthn/#relying-party) _server_, using methods outside the scope of this specification. This section describes the operations that the [Relying Party](https://w3c.github.io/webauthn/#relying-party) must perform upon receipt of these structures. Based on this description, I interpret that the expectation is for the server to perform all of the necessary validation. Step 14 of [Registering a New Credential](https://w3c.github.io/webauthn/#sctn-registering-a-new-credential) cannot be performed without [`CredentialCreationOptions.mediation`](https://w3c.github.io/webappsec-credential-management/#dom-credentialcreationoptions-mediation). Either `mediation` should be added to [`RegistrationResponseJSON`](https://w3c.github.io/webauthn/#dictdef-registrationresponsejson) and [`AuthenticatorAssertionResponseJSON`](https://w3c.github.io/webauthn/#dictdef-authenticationresponsejson) so that the ceremony has a defined way of receiving this value, or it should be part of [`PublicKeyCredentialCreationOptions`](https://w3c.github.io/webauthn/#dictdef-publickeycredentialcreationoptions) and [`PublicKeyCredentialRequestOptions`](https://w3c.github.io/webauthn/#dictdef-publickeycredentialrequestoptions) so the server has the value already upon receiving [`PublicKeyCredentialJSON`](https://w3c.github.io/webauthn/#typedefdef-publickeycredentialjson). I realize adding to the `PublicKeyCredentialCreationOptions` and `PublicKeyCredentialRequestOptions` is somewhat silly since `mediation` is already part of [`CredentialCreationOptions`](https://w3c.github.io/webappsec-credential-management/#dictdef-credentialcreationoptions) which `PublicKeyCredentialCreationOptions` is also part via [`publicKey`](https://w3c.github.io/webauthn/#dom-credentialcreationoptions-publickey). The point of the JSON types is having a defined way for the server to send and receive all necessary information to perform the registration and authentication ceremony criteria, correct? Without this, there is still a non-standardized way for the server to receive this information which is a big reason for the JSON types. Please view or discuss this issue at https://github.com/w3c/webauthn/issues/2124 using your GitHub account -- Sent via github-notify-ml as configured in https://github.com/w3c/github-notify-ml-config
Received on Friday, 16 August 2024 23:58:41 UTC