[webauthn] Invoking the authenticatorMakeCredential operation clarification (#2025)

• From: Dimitri Bouniol via GitHub <sysbot+gh@w3.org>
• Date: Fri, 16 Feb 2024 09:55:51 +0000
• To: public-webauthn@w3.org
• Message-ID: <issues.opened-2138246977-1708077348-sysbot+gh@w3.org>

dimitribouniol has just created a new issue for https://github.com/w3c/webauthn:

== Invoking the authenticatorMakeCredential operation clarification ==
## Proposed Change

I could be misinterpreting this, so I wanted to verify with an issue first, but it seems like the steps mentioned in 5.1.3 for [creating a new credential](https://w3c.github.io/webauthn/#CreateCred-InvokeAuthnrMakeCred) are mis-indented, suggesting that if the optional excludeCredentials are not provided, invoking `authenticatorMakeCredential` would never be done:

<img width="808" alt="image" src="https://github.com/w3c/webauthn/assets/225505/509e4fb4-2a20-487a-ad95-e47746340a53">

After several re-readings, this seems to make more sense logically:

```diff 
 5.1.3. Create a New Credential - PublicKeyCredential’s [[Create]](origin, options, sameOriginWithAncestors) Method
     ...
     25. While lifetimeTimer has not expired, perform the following actions depending upon lifetimeTimer, and the state and response for each authenticator in authenticators:
         ...
         → If an authenticator becomes available on this client device,
             ...
             23. For each credential descriptor C in pkOptions.excludeCredentials:
                 1. If C.transports is not empty, and authenticator is connected over a transport not mentioned in C.transports, the client MAY continue.
                     NOTE: If the client chooses to continue, this could result in inadvertently registering multiple credentials bound to the same authenticator if the transport hints in C.transports are not accurate. For example, stored transport hints could become inaccurate as a result of software upgrades adding new connectivity options.
                 2. Otherwise, Append C to excludeCredentialDescriptorList.
-                3. Invoke the authenticatorMakeCredential operation on authenticator with clientDataHash, pkOptions.rp, pkOptions.user, requireResidentKey, userVerification, credTypesAndPubKeyAlgs, excludeCredentialDescriptorList, enterpriseAttestationPossible, attestationFormats, and authenticatorExtensions as parameters.
-            24. Append authenticator to issuedRequests.
+            24. Invoke the authenticatorMakeCredential operation on authenticator with clientDataHash, pkOptions.rp, pkOptions.user, requireResidentKey, userVerification, credTypesAndPubKeyAlgs, excludeCredentialDescriptorList, enterpriseAttestationPossible, attestationFormats, and authenticatorExtensions as parameters.
+            25. Append authenticator to issuedRequests.
```

As currently listed, this suggests that `authenticatorMakeCredential` should be invoked for every excluded credential descriptor instead of once with the list of excluded credential descriptors. If however the logical positioning is correct here, then perhaps some clarifying language about when authenticatorMakeCredential is called when excludeCredentials is not provided is warranted (I hope I'm not the only one confused here 😅).

Please view or discuss this issue at https://github.com/w3c/webauthn/issues/2025 using your GitHub account


-- 
Sent via github-notify-ml as configured in https://github.com/w3c/github-notify-ml-config

Received on Friday, 16 February 2024 09:55:53 UTC