[webauthn] new commits pushed by nicksteele from Nick Steele via GitHub on 2025-01-08 (public-webauthn@w3.org from January 2025)

From: Nick Steele via GitHub <sysbot+gh@w3.org>
Date: Wed, 08 Jan 2025 20:20:44 +0000
To: public-webauthn@w3.org
Message-ID: <push-6be55028e5e9896fcc25d11eb336c9f7849de29e-1736367641-sysbot+gh@w3.org>
The following commits were just pushed by nicksteele to https://github.com/w3c/webauthn:

* Add test vectors
  by Emil Lundberg
https://github.com/w3c/webauthn/commit/6737d23798f11e8574086464eeb7a5adfbc81a0c

* Move PRF test vectors to Test Vectors section
  by Emil Lundberg
https://github.com/w3c/webauthn/commit/d8898af4bd35630f687892d2993a77fc48bea49a

* Add blurb about why PRF test vectors have two sections
  by Emil Lundberg
https://github.com/w3c/webauthn/commit/643273b0c000051fe42d9ba1e9d76675352e14bc

* Re-order test vectors for better legibility
  by Emil Lundberg
https://github.com/w3c/webauthn/commit/83772885bd493a9b99a8db0368ace7fae829e97d

* Clarify behaviour of duplicate pubKeyCredParams and attestationFormats
  by Emil Lundberg
https://github.com/w3c/webauthn/commit/dcf0ddb03bece66e6b2618b7422238ed12193761

* Use same wording of preference order for attestationFormats as pubKeyCredParams
  by Emil Lundberg
https://github.com/w3c/webauthn/commit/eb13ee19cb4647991bbde2bb9da5685fe8fde0cd

* Store credential record last in RP registration ops
  by Emil Lundberg
https://github.com/w3c/webauthn/commit/2b9d8af35e2843dc2dd60dcf95664567d12f3575

* Update credential record last in RP authentication ops
  by Emil Lundberg
https://github.com/w3c/webauthn/commit/4d7da39e950b3add1be49f509fac6ece29896fb1

* Equalize wording of last step of RP assertion ops with registration ops
  by Emil Lundberg
https://github.com/w3c/webauthn/commit/91cd386e2f1b580f31329b68b17c6be156275a10

* Fix reference to $$attStmtType in definition of attestation statement formats
  by Emil Lundberg
https://github.com/w3c/webauthn/commit/804cece99aa047cc2c84af0d484e1a357cd88050

* Formalize attStmtTemplate as more correct CDDL

I don't think the expression `attStmtTemplate .within $$attStmtType`
successfully encodes the intent "Every attestation statement format must have
the above fields", for two reasons: it does not define a CDDL rule since it
contains no = sign, and even if it did, the `.within` control operator would apply
only to the new type defined by that rule, but not to the `attObj` type.

CDDL generally makes a distinction between types and groups, and only mentions
control operators applying to types, so I don't think we can apply `.within` to
`$$attStmtType` directly. This is why we need to duplicate the `authData` field
in `attStmtTemplate`.
  by Emil Lundberg
https://github.com/w3c/webauthn/commit/e6a998eb823871d7f6f7d51ebd0bfe4b8cdc68d2

* Allow attStmt to be of array type

This is required by the new "compound" attestation statement format.
  by Emil Lundberg
https://github.com/w3c/webauthn/commit/9b161676e556d1f855d4bfc3b9819bf32e2227fd

* Fix .within operator in nonCompountAttStmt

[CDDL][1] defines that:

>A map matches a specification given as a group when the group matches
>a sequence of name/value pairs such that all of these name/value
>pairs are present in the map and the map has no name/value pair that
>is not covered by the group.

Therefore the control `.within { fmt: text .ne "compound" }` forbids any maps
that contain additional fields besides `fmt`, which is clearly not what was
intended.

[1]: https://datatracker.ietf.org/doc/html/rfc8610#section-2.1
  by Emil Lundberg
https://github.com/w3c/webauthn/commit/8b29bec5a3db3f803478403a7ec41c80bec0d28e

* Rewrite Test Vectors introduction as applicable to all audiences
  by Emil Lundberg
https://github.com/w3c/webauthn/commit/a0854aa1aca9980c5f07100c50d1d90aa6343a8c

* Note that test vectors have no attestation unless noted otherwise
  by Emil Lundberg
https://github.com/w3c/webauthn/commit/abee3307949f314d737b1137b4bdd3cfa8b317e1

* Make remaining USVStrings into DOMStrings
  by philomathic_life
https://github.com/w3c/webauthn/commit/95fb560b547d5f8a631d96298f6fa013a0c67e7b

* Link "Object" to WebDriver instead of File API
  by Emil Lundberg
https://github.com/w3c/webauthn/commit/8982a978d95e607693b1174ae74deac44f544f9b

* Fix AuthenticationExtensionsAuthenticatorInputs/Outputs CDDL

According to the CDDL grammar, after a control operator (called `ctlop` in the
ABNF grammar), there can only be a `type2` production:
https://datatracker.ietf.org/doc/html/rfc8610#appendix-B

In a `type2` production, wrapping parentheses can only be used to wrap a `type`
production. `tstr => any` is a `group` production, and needs to be wrapped in
curly braces or brackets.

In other words, from a CDDL grammar perspective, this is an invalid type:
  `foo .within ( tstr => any )`

This is valid:
  `foo .within { tstr => any }`

This update fixes the CDDL type definitions that used the `.within` operator
with an invalid type2.
  by Francois Daoust
https://github.com/w3c/webauthn/commit/8fa10df31c3c2eadbcb797164890563eb8ab6c5a

* Move .within control to correct position in extension input/outputs CDDL
  by Emil Lundberg
https://github.com/w3c/webauthn/commit/5d855e79c4242c330c737f00a1f6b15c85c1fd1a

* Merge pull request #2218 from w3c/issue-2212-file-object

Link "Object" to WebDriver instead of File API
  by Adam Langley
https://github.com/w3c/webauthn/commit/81077df3d88c2b5762bb7c917cbc9db9d3cda7a2

* Merge pull request #2216 from w3c/issue-2210-compound-attStmtTemplate

Fix CDDL inconsistencies in attStmtType and compound format
  by Adam Langley
https://github.com/w3c/webauthn/commit/3bc830109a1092de107fefc557b33f182e358775

* Merge pull request #2214 from w3c/issue-2202-pref-list-duplicates

Clarify behaviour of duplicate pubKeyCredParams and attestationFormats
  by Adam Langley
https://github.com/w3c/webauthn/commit/09969718b3cb9dbbfe020bf5cd1d3a0086d2a696

* Merge pull request #2215 from w3c/issue-2204-premature-store-credential

Store/update credential record last in RP ops
  by Adam Langley
https://github.com/w3c/webauthn/commit/08d33dc98f8012d01e7edc81f052c785af7726af

* Merge pull request #2221 from w3c/pr-2219-tidoust

Fix AuthenticationExtensionsAuthenticatorInputs/Outputs CDDL
  by Michael B. Jones
https://github.com/w3c/webauthn/commit/57efac8e788c3ac058fcc995dbb4c2d177545fc1

* Merge pull request #2217 from zacknewman/domorigins

Make remaining `USVString`s `DOMString`s
  by Michael B. Jones
https://github.com/w3c/webauthn/commit/26e28ecd791dee84575284f55e61514637accc74

* Merge pull request #2209 from w3c/issue-1633-test-vectors

Add test vectors
  by Michael B. Jones
https://github.com/w3c/webauthn/commit/b36a79a8ff0f184c08d4e5b676acda0c6d5cab45

* Merge branch 'main' into issue-1979-notes
  by Nick Steele
https://github.com/w3c/webauthn/commit/6be55028e5e9896fcc25d11eb336c9f7849de29e



-- 
Sent via github-notify-ml as configured in https://github.com/w3c/github-notify-ml-config
Received on Wednesday, 8 January 2025 20:20:45 UTC