- From: philomathic_life via GitHub <sysbot+gh@w3.org>
- Date: Sat, 23 Nov 2024 01:45:20 +0000
- To: public-webauthn@w3.org
zacknewman has just created a new issue for https://github.com/w3c/webauthn: == `credProps` output directions contradict notes == [`credProps`](https://w3c.github.io/webauthn/#credprops) states the following for the output: > **Client extension output** > [Set](https://infra.spec.whatwg.org/#map-set) [`clientExtensionResults`](https://w3c.github.io/webauthn/#credentialcreationdata-clientextensionresults)[`"[credProps`](https://w3c.github.io/webauthn/#dom-authenticationextensionsclientoutputs-credprops)`"]["rk"]` to the value of the _requireResidentKey_ parameter that was used in the [invocation](https://w3c.github.io/webauthn/#CreateCred-InvokeAuthnrMakeCred) of the [authenticatorMakeCredential](https://w3c.github.io/webauthn/#authenticatormakecredential) operation. If this is true, then I don't see how [`rk`](https://w3c.github.io/webauthn/#dom-credentialpropertiesoutput-rk) is optional since per the above directive it will always be set since _requireResidentKey_ is always set (it defaults to `false` when not present). Furthermore the notes about the extension later state that `rk` should only be set when the client platform knows definitively one way or the other; and if it does not know, then it should omit the property: > Note: some [authenticators](https://w3c.github.io/webauthn/#authenticator) create [discoverable credentials](https://w3c.github.io/webauthn/#discoverable-credential) even when not requested by the [client platform](https://w3c.github.io/webauthn/#client-platform). Because of this, [client platforms](https://w3c.github.io/webauthn/#client-platform) may be forced to omit the [`rk`](https://w3c.github.io/webauthn/#dom-credentialpropertiesoutput-rk) property because they lack the assurance to be able to set it to `false`. [Relying Parties](https://w3c.github.io/webauthn/#relying-party) should assume that, if the `credProps` extension is supported, then [client platforms](https://w3c.github.io/webauthn/#client-platform) will endeavour to populate the [`rk`](https://w3c.github.io/webauthn/#dom-credentialpropertiesoutput-rk) property. Therefore a missing [`rk`](https://w3c.github.io/webauthn/#dom-credentialpropertiesoutput-rk) indicates that the created credential is most likely a [non-discoverable credential](https://w3c.github.io/webauthn/#non-discoverable-credential). This justifies the reason `rk` is optional, but it clearly goes against the actual directive which is to _always_ use _requireResidentKey_. I think the directive should be changed. I think it should state that `rk` should be set to `true` when _requireResidentKey_ is `true`; however it should only set it to `false` when it knows for sure. This makes it align with IDL which has `rk` as optional as well as the notes. For example, it seems as though Chromium follows the directive to just always using _requireResidentKey_ since it sets it to `false` when using my iPhone which only supports resident keys. If the directive aligned with the notes, however, then perhaps Chromium would instead not set it. Please view or discuss this issue at https://github.com/w3c/webauthn/issues/2213 using your GitHub account -- Sent via github-notify-ml as configured in https://github.com/w3c/github-notify-ml-config
Received on Saturday, 23 November 2024 01:45:21 UTC