From c2ec717da26c7021b64d5e52bc8dfd27ec257907 Mon Sep 17 00:00:00 2001 From: Emil Lundberg Date: Tue, 28 Nov 2023 13:13:20 +0100 Subject: [PATCH 1/2] Fix references to credential private key that should be credential source See issue #2002: https://github.com/w3c/webauthn/issues/2002 --- index.bs | 13 +++++++------ 1 file changed, 7 insertions(+), 6 deletions(-) diff --git a/index.bs b/index.bs index e5f847486..6c75426e6 100644 --- a/index.bs +++ b/index.bs @@ -4551,13 +4551,14 @@ An [=authenticator=] can store a [=public key credential source=] in one of two 1. In persistent storage embedded in the [=authenticator=], [=client=] or [=client device=], e.g., in a secure element. This is a technical requirement for a [=client-side discoverable public key credential source=]. - 1. By encrypting (i.e., wrapping) the [=credential private key=] such that only this [=authenticator=] can decrypt (i.e., unwrap) it and letting the resulting - ciphertext be the [=credential ID=] for the [=public key credential source=]. The [=credential ID=] is stored by the [=[RP]=] + 1. By encrypting (i.e., wrapping) the [=public key credential source=] + such that only this [=authenticator=] can decrypt (i.e., unwrap) it and letting the resulting + ciphertext be the [=credential ID=] of the [=public key credential source=]. The [=credential ID=] is stored by the [=[RP]=] and returned to the [=authenticator=] via the {{PublicKeyCredentialRequestOptions/allowCredentials}} option of - {{CredentialsContainer/get()}}, which allows the [=authenticator=] to decrypt and use the [=credential private key=]. + {{CredentialsContainer/get()}}, which allows the [=authenticator=] to decrypt and use the [=public key credential source=]. - This enables the [=authenticator=] to have unlimited storage capacity for [=credential private keys=], since the encrypted - [=credential private keys=] are stored by the [=[RP]=] instead of by the [=authenticator=] - but it means that a + This enables the [=authenticator=] to have unlimited credential storage capacity, since the encrypted + [=public key credential sources=] are stored by the [=[RP]=] instead of by the [=authenticator=] - but it means that a [=credential=] stored in this way must be retrieved from the [=[RP]=] before the [=authenticator=] can use it. Which of these storage strategies an [=authenticator=] supports defines the [=authenticator=]'s credential storage @@ -4568,7 +4569,7 @@ modality as follows: credential capable. - An [=authenticator=] has the server-side credential storage modality if it does not have the [=client-side credential storage - modality=], i.e., it only supports storing [=credential private keys=] as a ciphertext in the [=credential ID=]. + modality=], i.e., it only supports storing [=public key credential sources=] as a ciphertext in the [=credential ID=]. Note that a [=discoverable credential capable=] [=authenticator=] MAY support both storage strategies. In this case, the [=authenticator=] MAY at its discretion use different storage strategies for different [=public key credential|credentials=], though subject to the From dbf6ca23d8cf8c3399a2ddde86d1222c0ceca023 Mon Sep 17 00:00:00 2001 From: Emil Lundberg Date: Tue, 28 Nov 2023 13:13:43 +0100 Subject: [PATCH 2/2] Say residentKey and requireResidentKey, not residentKey or requireResidentKey --- index.bs | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/index.bs b/index.bs index 6c75426e6..9e1525a52 100644 --- a/index.bs +++ b/index.bs @@ -4573,7 +4573,7 @@ modality as follows: Note that a [=discoverable credential capable=] [=authenticator=] MAY support both storage strategies. In this case, the [=authenticator=] MAY at its discretion use different storage strategies for different [=public key credential|credentials=], though subject to the -{{AuthenticatorSelectionCriteria/residentKey}} or {{AuthenticatorSelectionCriteria/requireResidentKey}} options of +{{AuthenticatorSelectionCriteria/residentKey}} and {{AuthenticatorSelectionCriteria/requireResidentKey}} options of {{CredentialsContainer/create()}}.