Skip to content

Commit

Permalink
Merge pull request #2003 from w3c/issue-2002-non-resident-storage
Browse files Browse the repository at this point in the history
Fix references to credential private key that should be credential source
  • Loading branch information
agl authored Dec 13, 2023
2 parents db0b659 + dbf6ca2 commit 26da246
Showing 1 changed file with 8 additions and 7 deletions.
15 changes: 8 additions & 7 deletions index.bs
Original file line number Diff line number Diff line change
Expand Up @@ -4559,13 +4559,14 @@ An [=authenticator=] can store a [=public key credential source=] in one of two
1. In persistent storage embedded in the [=authenticator=], [=client=] or [=client device=], e.g., in a secure element.
This is a technical requirement for a [=client-side discoverable public key credential source=].

1. By encrypting (i.e., wrapping) the [=credential private key=] such that only this [=authenticator=] can decrypt (i.e., unwrap) it and letting the resulting
ciphertext be the [=credential ID=] for the [=public key credential source=]. The [=credential ID=] is stored by the [=[RP]=]
1. By encrypting (i.e., wrapping) the [=public key credential source=]
such that only this [=authenticator=] can decrypt (i.e., unwrap) it and letting the resulting
ciphertext be the [=credential ID=] of the [=public key credential source=]. The [=credential ID=] is stored by the [=[RP]=]
and returned to the [=authenticator=] via the {{PublicKeyCredentialRequestOptions/allowCredentials}} option of
{{CredentialsContainer/get()}}, which allows the [=authenticator=] to decrypt and use the [=credential private key=].
{{CredentialsContainer/get()}}, which allows the [=authenticator=] to decrypt and use the [=public key credential source=].

This enables the [=authenticator=] to have unlimited storage capacity for [=credential private keys=], since the encrypted
[=credential private keys=] are stored by the [=[RP]=] instead of by the [=authenticator=] - but it means that a
This enables the [=authenticator=] to have unlimited credential storage capacity, since the encrypted
[=public key credential sources=] are stored by the [=[RP]=] instead of by the [=authenticator=] - but it means that a
[=credential=] stored in this way must be retrieved from the [=[RP]=] before the [=authenticator=] can use it.

Which of these storage strategies an [=authenticator=] supports defines the [=authenticator=]'s <dfn>credential storage
Expand All @@ -4576,11 +4577,11 @@ modality</dfn> as follows:
credential capable</dfn>.

- An [=authenticator=] has the <dfn>server-side credential storage modality</dfn> if it does not have the [=client-side credential storage
modality=], i.e., it only supports storing [=credential private keys=] as a ciphertext in the [=credential ID=].
modality=], i.e., it only supports storing [=public key credential sources=] as a ciphertext in the [=credential ID=].

Note that a [=discoverable credential capable=] [=authenticator=] MAY support both storage strategies. In this case, the [=authenticator=] MAY
at its discretion use different storage strategies for different [=public key credential|credentials=], though subject to the
{{AuthenticatorSelectionCriteria/residentKey}} or {{AuthenticatorSelectionCriteria/requireResidentKey}} options of
{{AuthenticatorSelectionCriteria/residentKey}} and {{AuthenticatorSelectionCriteria/requireResidentKey}} options of
{{CredentialsContainer/create()}}.


Expand Down

0 comments on commit 26da246

Please sign in to comment.