Skip to content

Commit

Permalink
Merge pull request #1975 from pascoej/fix-bikeshed-compile
Browse files Browse the repository at this point in the history
Fix the bikeshed build
  • Loading branch information
pascoej authored Sep 27, 2023
2 parents baf774a + 4207bdd commit 3350ac7
Showing 1 changed file with 18 additions and 18 deletions.
36 changes: 18 additions & 18 deletions index.bs
Original file line number Diff line number Diff line change
Expand Up @@ -1459,21 +1459,21 @@ The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "S

This section normatively specifies the API for creating and using [=public key credentials=]. The basic
idea is that the credentials belong to the user and are [=managing authenticator|managed=] by a [=[WAA]=], with which the [=[WRP]=] interacts through the [=client platform=]. [=[RP]=] scripts can (with the [=user consent|user's consent=]) request the
browser to create a new credential for future use by the [=[RP]=]. See <a href="#fig-registration">Figure <span class="figure-num-following"/></a>, below.
browser to create a new credential for future use by the [=[RP]=]. See <a href="#fig-registration">Figure <span class="figure-num-following"></span></a>, below.


<figure id="fig-registration">
<img src="images/webauthn-registration-flow-01.svg"/>
<img src="images/webauthn-registration-flow-01.svg"></img>
<figcaption>Registration Flow</figcaption>
</figure>


Scripts can also request the user’s permission to perform
[=authentication=] operations with an existing credential. See <a href="#fig-authentication">Figure <span class="figure-num-following"/></a>, below.
[=authentication=] operations with an existing credential. See <a href="#fig-authentication">Figure <span class="figure-num-following"></span></a>, below.


<figure id="fig-authentication">
<img src="images/webauthn-authentication-flow-01.svg"/>
<img src="images/webauthn-authentication-flow-01.svg"></img>
<figcaption>Authentication Flow</figcaption>
</figure>

Expand Down Expand Up @@ -4152,7 +4152,7 @@ The [=authenticator data=] has a compact but extensible encoding. This is desire
limited capabilities and low power requirements, with much simpler software stacks than the [=client platform=].

The [=authenticator data=] structure is a byte array of 37 bytes or more,
laid out as shown in <a href="#table-authData">Table <span class="table-ref-following"/></a>.
laid out as shown in <a href="#table-authData">Table <span class="table-ref-following"></span></a>.


<figure id="table-authData" class="table">
Expand Down Expand Up @@ -4247,10 +4247,10 @@ the requested [=public key credential|credential=] is [=scoped=] to exactly matc
- If the authenticator does not include any [=authData/extensions|extension data=], it MUST set the [=authData/flags/ED=] [=flag=] to zero, and to one if
[=authData/extensions|extension data=] is included.

<a href="#fig-authData">Figure <span class="figure-num-following"/></a> shows a visual representation of the [=authenticator data=] structure.
<a href="#fig-authData">Figure <span class="figure-num-following"></span></a> shows a visual representation of the [=authenticator data=] structure.

<figure id="fig-authData">
<img src="images/fido-signature-formats-figure1.svg"/>
<img src="images/fido-signature-formats-figure1.svg"></img>
<figcaption>[=Authenticator data=] layout.</figcaption>
</figure>

Expand Down Expand Up @@ -4306,11 +4306,11 @@ the same procedure as other [=assertion signatures=] generated by the [=authenti
### Credential Backup State ### {#sctn-credential-backup}

Credential [=backup eligibility=] and current [=backup state=] is conveyed by the [=authData/flags/BE=] and [=authData/flags/BS=] [=flags=] in the [=authenticator data=], as
defined in <a href="#table-authData">Table <span class="table-ref-previous"/></a>.
defined in <a href="#table-authData">Table <span class="table-ref-previous"></span></a>.

The value of the [=authData/flags/BE=] [=flag=] is set during [=authenticatorMakeCredential=] operation and MUST NOT change.

The value of the [=authData/flags/BS=] [=flag=] may change over time based on the current state of the [=public key credential source=]. <a href="#table-backupStates">Table <span class="table-ref-following"/></a> below defines
The value of the [=authData/flags/BS=] [=flag=] may change over time based on the current state of the [=public key credential source=]. <a href="#table-backupStates">Table <span class="table-ref-following"></span></a> below defines
valid combinations and their meaning.

<figure id="table-backupStates" class="table">
Expand Down Expand Up @@ -4412,7 +4412,7 @@ The above examples illustrate the primary <dfn>authenticator type</dfn> characte
- Whether the authenticator is [=discoverable credential capable=] &mdash; the [=credential storage modality=].

These characteristics are independent and may in theory be combined in any way,
but <a href="#table-authenticatorTypes">Table <span class="table-ref-following"/></a>
but <a href="#table-authenticatorTypes">Table <span class="table-ref-following"></span></a>
lists and names some [=authenticator types=] of particular interest.


Expand Down Expand Up @@ -4478,7 +4478,7 @@ typically a PIN or [=biometric recognition=].
The [=authenticator=] can thus act as two kinds of [=authentication factor=],
which enables [=multi-factor=] authentication while eliminating the need to share a password with the [=[RP]=].

The combinations not named in <a href="#table-authenticatorTypes">Table <span class="table-ref-previous"/></a>
The combinations not named in <a href="#table-authenticatorTypes">Table <span class="table-ref-previous"></span></a>
have less distinguished use cases:


Expand Down Expand Up @@ -4838,13 +4838,13 @@ a numbered step. If outdented, it (today) is rendered as a bullet in the midst o
specified in [[#sctn-authenticator-data]] including |processedExtensions|, if any, as
the <code>[=authData/extensions=]</code> and excluding <code>[=attestedCredentialData=]</code>. This |authenticatorData| MUST include [=attested credential data=] if, and only if, |attestationFormat| is not `none`.
1. Let |signature| be the [=assertion signature=] of the concatenation <code>|authenticatorData| || |hash|</code> using the
[=public key credential source/privateKey=] of |selectedCredential| as shown in <a href="#fig-signature">Figure <span class="figure-num-following"/></a>, below. A simple,
[=public key credential source/privateKey=] of |selectedCredential| as shown in <a href="#fig-signature">Figure <span class="figure-num-following"></span></a>, below. A simple,
undelimited
concatenation is safe to use here because the [=authenticator data=] describes its own length. The [=hash of the serialized
client data=] (which potentially has a variable length) is always the last element.

<figure id="fig-signature">
<img src="images/fido-signature-formats-figure2.svg"/>
<img src="images/fido-signature-formats-figure2.svg"></img>
<figcaption>Generating an [=assertion signature=].</figcaption>
</figure>

Expand Down Expand Up @@ -4949,10 +4949,10 @@ Authenticators may be required to store arbitrary strings chosen by a [=[RP]=],

Each arbitrary string in the API will have some accommodation for the potentially limited resources available to an [=authenticator=]. If string value truncation is the chosen accommodation then authenticators MAY truncate in order to make the string fit within a length equal or greater than the specified minimum supported length. Such truncation SHOULD also respect UTF-8 sequence boundaries or [=grapheme cluster=] boundaries [[UAX29]]. This defines the maximum truncation permitted and authenticators MUST NOT truncate further.

For example, in <a href="#fig-stringTruncation">figure <span class="figure-num-following"/></a> the string is 65 bytes long. If truncating to 64 bytes then the final 0x88 byte must be removed purely because of space reasons. Since that leaves a partial UTF-8 sequence the remainder of that sequence may also be removed. Since that leaves a partial [=grapheme cluster=] an authenticator may remove the remainder of that cluster.
For example, in <a href="#fig-stringTruncation">figure <span class="figure-num-following"></span></a> the string is 65 bytes long. If truncating to 64 bytes then the final 0x88 byte must be removed purely because of space reasons. Since that leaves a partial UTF-8 sequence the remainder of that sequence may also be removed. Since that leaves a partial [=grapheme cluster=] an authenticator may remove the remainder of that cluster.

<figure id="fig-stringTruncation">
<img src="images/string-truncation.svg"/>
<img src="images/string-truncation.svg"></img>
<figcaption>The end of a UTF-8 encoded string showing the positions of different truncation boundaries.</figcaption>
</figure>

Expand Down Expand Up @@ -4995,14 +4995,14 @@ or otherwise perform [=None|no attestation=].

All this information is returned by [=authenticators=] any time a new [=public key credential=] is generated, and optionally when exercised, in the overall form of an
<dfn>attestation object</dfn>. The relationship of the [=attestation object=] with [=authenticator data=] (containing
[=attested credential data=]) and the [=attestation statement=] is illustrated in <a href="#fig-attStructs">figure <span class="figure-num-following"/></a>, below.
[=attested credential data=]) and the [=attestation statement=] is illustrated in <a href="#fig-attStructs">figure <span class="figure-num-following"></span></a>, below.

If an [=authenticator=] employs [=self attestation=] or [=None|no attestation=], then no provenance information is provided
for the [=[RP]=] to base a trust decision on.
In these cases, the [=authenticator=] provides no guarantees about its operation to the [=[RP]=].

<figure id="fig-attStructs">
<img src="images/fido-attestation-structures.svg"/>
<img src="images/fido-attestation-structures.svg"></img>
<figcaption>[=Attestation object=] layout illustrating the included [=authenticator data=] from a {{CredentialsContainer/create()|create()}} operation (containing [=attested credential
data=]) and the [=attestation statement=].</figcaption>
</figure>
Expand Down Expand Up @@ -5061,7 +5061,7 @@ Attestations in [=assertions=] could be helpful in at least the following situat
### Attested Credential Data ### {#sctn-attested-credential-data}

<dfn>Attested credential data</dfn> is a variable-length byte array added to the [=authenticator data=] when generating an [=attestation
object=] for a credential. Its format is shown in <a href="#table-attestedCredentialData">Table <span class="table-ref-following"/></a>.
object=] for a credential. Its format is shown in <a href="#table-attestedCredentialData">Table <span class="table-ref-following"></span></a>.

<figure id="table-attestedCredentialData" class="table">
<table class="complex data longlastcol" dfn-for="authData/attestedCredentialData">
Expand Down

0 comments on commit 3350ac7

Please sign in to comment.