Re: [webauthn] Add `mediation` to `PublicKeyCredentialJSON` (#2124)

> [WebAuthn Relying Party Operations](https://w3c.github.io/webauthn/#sctn-rp-operations) states (emphasis added):
> 
> > Upon successful execution of [`create()`](https://w3c.github.io/webappsec-credential-management/#dom-credentialscontainer-create) or [`get()`](https://w3c.github.io/webappsec-credential-management/#dom-credentialscontainer-get), the [Relying Party](https://w3c.github.io/webauthn/#relying-party)'s script receives a [`PublicKeyCredential`](https://w3c.github.io/webauthn/#publickeycredential) containing an [`AuthenticatorAttestationResponse`](https://w3c.github.io/webauthn/#authenticatorattestationresponse) or [`AuthenticatorAssertionResponse`](https://w3c.github.io/webauthn/#authenticatorassertionresponse) structure, respectively, from the client. It must then deliver the contents of this structure to the [Relying Party](https://w3c.github.io/webauthn/#relying-party) _server_, using methods outside the scope of this specification. This section describes the operations that the [Relying Party](https://w3c.github.io/webauthn/#relying-party) must perform upon receipt of these structures.
> 
> Based on this description, I interpret that the expectation is for the server to perform all of the necessary validation. Step 14 of [Registering a New Credential](https://w3c.github.io/webauthn/#sctn-registering-a-new-credential) cannot be performed without [`CredentialCreationOptions.mediation`](https://w3c.github.io/webappsec-credential-management/#dom-credentialcreationoptions-mediation):
> 
> > 14. Verify that the [UP](https://w3c.github.io/webauthn/#authdata-flags-up) bit of the [flags](https://w3c.github.io/webauthn/#authdata-flags) in _authData_ is set, unless _`options`_`.`[`mediation`](https://w3c.github.io/webappsec-credential-management/#dom-credentialcreationoptions-mediation) is set to [`conditional`](https://w3c.github.io/webappsec-credential-management/#dom-credentialmediationrequirement-conditional).
> 
> Either `mediation` should be added to [`RegistrationResponseJSON`](https://w3c.github.io/webauthn/#dictdef-registrationresponsejson) and [`AuthenticatorAssertionResponseJSON`](https://w3c.github.io/webauthn/#dictdef-authenticationresponsejson) so that the ceremony has a defined way of receiving this value, or it should be part of [`PublicKeyCredentialCreationOptions`](https://w3c.github.io/webauthn/#dictdef-publickeycredentialcreationoptions) and [`PublicKeyCredentialRequestOptions`](https://w3c.github.io/webauthn/#dictdef-publickeycredentialrequestoptions) so the server has the value already upon receiving [`PublicKeyCredentialJSON`](https://w3c.github.io/webauthn/#typedefdef-publickeycredentialjson). I realize adding to the `PublicKeyCredentialCreationOptions` and `PublicKeyCredentialRequestOptions` is somewhat silly since `mediation` is already part of [`CredentialCreationOptions`](https://w3c.github.io/webappsec-credential-management/#dictdef-credentialcreationoptions) which `PublicKeyCredentialCreationOptions` is also part via [`publicKey`](https://w3c.github.io/webauthn/#dom-credentialcreationoptions-publickey).
> 
> The point of the JSON types is having a defined way for the server to send and receive all necessary information to perform the registration and authentication ceremony criteria, correct? Without this, there is still necessary information missing which sort of defeats the purpose for the JSON types since clients and servers will be forced to come up with their own mechanism and not rely on a standardized way.
> 
> _* Note step 14 is technically incorrect since `mediation` is not a - [ ] - key of `PublicKeyCredentialCreationOptions` (see #2122)_.- - [^ #  The Elf  Is  Null !  #  3  D  is  C++ ,  #  small  Cap ,  is  Null,0💞

-- 
GitHub Notification of comment by BlingBling43
Please view or discuss this issue at https://github.com/w3c/webauthn/issues/2124#issuecomment-2294752368 using your GitHub account


-- 
Sent via github-notify-ml as configured in https://github.com/w3c/github-notify-ml-config

Received on Saturday, 17 August 2024 07:38:40 UTC