From 76e88e1d80947284a422894fe81d686f478ed67b Mon Sep 17 00:00:00 2001 From: Matthew Miller Date: Thu, 12 Oct 2023 14:08:47 -0700 Subject: [PATCH 1/5] Initial effort to allow credProps use during auth --- index.bs | 14 ++++++-------- 1 file changed, 6 insertions(+), 8 deletions(-) diff --git a/index.bs b/index.bs index 564e2529d..b4e8740eb 100644 --- a/index.bs +++ b/index.bs @@ -6371,7 +6371,7 @@ The "compound" attestation statement format is used to pass multiple, self-conta 2. If sufficiently many (as determined by [=[RP]=] policy) [=list/items=] of |attStmt| verify successfully, return implementation-specific values representing any combination of outputs from successful [=verification procedures=]. - + # WebAuthn Extensions # {#sctn-extensions} @@ -6777,13 +6777,13 @@ During a transition from the FIDO U2F JavaScript API, a [=[RP]=] may have a popu ### Credential Properties Extension (credProps) ### {#sctn-authenticator-credential-properties-extension} -This [=client extension|client=] [=registration extension=] facilitates reporting certain [=credential properties=] known by the [=client=] to the requesting [=[WRP]=] upon creation of a [=public key credential source=] as a result of a [=registration ceremony=]. +This [=client extension|client=] [=registration extension=] and [=authentication extension=] facilitates reporting certain [=credential properties=] known by the [=client=] to the requesting [=[WRP]=] upon creation or use of a [=public key credential source=]. : Extension identifier :: `credProps` : Operation applicability -:: [=registration extension|Registration=] +:: [=registration extension|Registration=] and [=authentication extension|authentication=] : Client extension input :: The Boolean value [TRUE] to indicate that this extension is requested by the [=[RP]=]. @@ -6797,9 +6797,7 @@ This [=client extension|client=] [=registration extension=] facilitates reportin :: None, other than to report on credential properties in the output. : Client extension output -:: [=map/Set=] [=credentialCreationData/clientExtensionResults=]["{{AuthenticationExtensionsClientOutputs/credProps}}"]["rk"] to the value of the |requireResidentKey| parameter that was used in the invocation of the [=authenticatorMakeCredential=] operation. - - +:: <xmp class="idl"> dictionary CredentialPropertiesOutput { boolean rk; USVString authenticatorDisplayName; @@ -6826,8 +6824,8 @@ This [=client extension|client=] [=registration extension=] facilitates reportin :: This OPTIONAL property is a [=human palatability|human-palatable=] description of the credential's [=managing authenticator=], chosen by the user. - The [=client=] MUST allow the user to choose this value, - MAY or MAY not present that choice during [=registration ceremonies=], + During [=registration ceremonies=] the [=client=] MUST allow the user to choose this value, + MAY or MAY not present that choice, and MAY reuse the same value for multiple credentials with the same [=managing authenticator=] across multiple [=[RPS]=]. The [=client=] MAY query the [=authenticator=], by some unspecified mechanism, for this value. From bd5ff7a18da497adaa2467411991200f36a3e4c3 Mon Sep 17 00:00:00 2001 From: Matthew Miller <mmiller@duosecurity.com> Date: Wed, 25 Oct 2023 11:08:01 -0700 Subject: [PATCH 2/5] Incorporate PR feedback --- index.bs | 43 ++++++++++++++++++++++++++++--------------- 1 file changed, 28 insertions(+), 15 deletions(-) diff --git a/index.bs b/index.bs index b4e8740eb..bb4e98f7f 100644 --- a/index.bs +++ b/index.bs @@ -952,7 +952,7 @@ The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "S and [=assertion=]. A [=[WAA]=] could be a [=roaming authenticator=], a dedicated hardware subsystem integrated into the [=client device=], - or a software component of the [=client=] or [=client device=]. A [=[WAA]=] is not necessarily confined to operating in + or a software component of the [=client=] or [=client device=]. A [=[WAA]=] is not necessarily confined to operating in a local context, and can generate or store a [=credential key pair=] in a server outside of [=client-side=] hardware. In general, an [=authenticator=] is assumed to have only one user. @@ -4109,11 +4109,11 @@ considered more trustworthy than the rest of the authenticator. Each authenticator stores a <dfn for=authenticator>credentials map</dfn>, a [=map=] from ([=rpId=], [=public key credential source/userHandle=]) to [=public key credential source=]. -Additionally, each authenticator has an Authenticator Attestation Globally Unique Identifier or <dfn>AAGUID</dfn>, which is a 128-bit identifier -indicating the type (e.g. make and model) of the authenticator. The AAGUID MUST be chosen by its maker to be identical across all substantially identical -authenticators made by that maker, and different (with high probability) from the AAGUIDs of all other types of authenticators. The AAGUID for a given type -of authenticator SHOULD be randomly generated to ensure this. The [=[RP]=] MAY use the AAGUID to infer certain properties of the authenticator, such as -certification level and strength of key protection, using information from other sources. The [=[RP]=] MAY use the AAGUID to attempt to identify the maker of +Additionally, each authenticator has an Authenticator Attestation Globally Unique Identifier or <dfn>AAGUID</dfn>, which is a 128-bit identifier +indicating the type (e.g. make and model) of the authenticator. The AAGUID MUST be chosen by its maker to be identical across all substantially identical +authenticators made by that maker, and different (with high probability) from the AAGUIDs of all other types of authenticators. The AAGUID for a given type +of authenticator SHOULD be randomly generated to ensure this. The [=[RP]=] MAY use the AAGUID to infer certain properties of the authenticator, such as +certification level and strength of key protection, using information from other sources. The [=[RP]=] MAY use the AAGUID to attempt to identify the maker of the authenticator without requesting and verifying [=attestation=], but the AAGUID is not provably authentic without [=attestation=]. The primary function of the authenticator is to provide [=WebAuthn signatures=], which are bound to various contextual data. These @@ -6824,19 +6824,32 @@ This [=client extension|client=] [=registration extension=] and [=authentication :: This OPTIONAL property is a [=human palatability|human-palatable=] description of the credential's [=managing authenticator=], chosen by the user. - During [=registration ceremonies=] the [=client=] MUST allow the user to choose this value, - MAY or MAY not present that choice, - and MAY reuse the same value for multiple credentials with the same [=managing authenticator=] across multiple [=[RPS]=]. + The [=client=] MUST allow the user to choose this value. + That choice MAY be presented during the [=registration ceremony|registration=] or + [=authentication ceremony|authentication=] ceremony or MAY be made available outside + the ceremony, for example in client settings. The [=client=] MAY reuse the same value + for multiple credentials with the same [=managing authenticator=] across multiple + [=[RPS]=]. - The [=client=] MAY query the [=authenticator=], by some unspecified mechanism, for this value. - The [=authenticator=] MAY allow the user to configure the response to such a query. - The [=authenticator=] vendor MAY provide a default response to such a query. + The [=client=] MAY query the [=authenticator=], by some unspecified mechanism, for this + value. The [=authenticator=] MAY allow the user to configure the response to such a + query. The [=authenticator=] vendor MAY provide a default response to such a query. The [=client=] MAY consider a user-configured response chosen by the user, and SHOULD allow the user to modify a vendor-provided default response. - If the [=[RP]=] includes an <code>[$credential record/authenticatorDisplayName$]</code> [=struct/item=] in [=credential records=], - the [=[RP]=] MAY offer this value, if present, - as a default value for the <code>[$credential record/authenticatorDisplayName$]</code> of the new [=credential record=]. + If the [=[RP]=] includes an <code>[$credential record/authenticatorDisplayName$]</code> + [=struct/item=] in its [=credential records=], the [=[RP]=] MAY offer this value, if + present, as a default value for the + <code>[$credential record/authenticatorDisplayName$]</code> of the new + [=credential record=] it stores after a [=registration ceremony=]. + + If the {{authenticatorDisplayName}} extension output from an [=authentication ceremony=] + is different from the <code>[$credential record/authenticatorDisplayName$]</code> of the + [=credential record=], + the [=[RP]=] MAY offer the user to update the + <code>[$credential record/authenticatorDisplayName$]</code> of the + [=credential record=]. + </div> From 5025ea2e0445f5023030929382ee9b18491b74df Mon Sep 17 00:00:00 2001 From: Matthew Miller <mmiller@duosecurity.com> Date: Wed, 25 Oct 2023 11:12:05 -0700 Subject: [PATCH 3/5] Restore rk instructions into client processing --- index.bs | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/index.bs b/index.bs index bb4e98f7f..157ecd3e4 100644 --- a/index.bs +++ b/index.bs @@ -6794,7 +6794,10 @@ This [=client extension|client=] [=registration extension=] and [=authentication : Client extension processing -:: None, other than to report on credential properties in the output. +:: [=map/Set=] [=credentialCreationData/clientExtensionResults=]["{{AuthenticationExtensionsClientOutputs/credProps}}"]["rk"] + to the value of the |requireResidentKey| parameter that was used in the + invocation of the [=authenticatorMakeCredential=] + operation. : Client extension output :: From 1d2d52152a46b0d3e2f9fb7bbf9558a5858b84a0 Mon Sep 17 00:00:00 2001 From: Emil Lundberg <emil@yubico.com> Date: Fri, 10 Nov 2023 11:24:53 +0100 Subject: [PATCH 4/5] Align credProps output reference with other extensions --- index.bs | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/index.bs b/index.bs index 157ecd3e4..6b5ccfd0f 100644 --- a/index.bs +++ b/index.bs @@ -6794,8 +6794,7 @@ This [=client extension|client=] [=registration extension=] and [=authentication : Client extension processing -:: [=map/Set=] [=credentialCreationData/clientExtensionResults=]["{{AuthenticationExtensionsClientOutputs/credProps}}"]["rk"] - to the value of the |requireResidentKey| parameter that was used in the +:: Set {{CredentialPropertiesOutput/rk}} to the value of the |requireResidentKey| parameter that was used in the invocation of the [=authenticatorMakeCredential=] operation. From 2472df637429f96be24dcb361df087c1cbaa50bb Mon Sep 17 00:00:00 2001 From: Emil Lundberg Date: Fri, 10 Nov 2023 11:25:44 +0100 Subject: [PATCH 5/5] Add credProps client processing step to set authenticatorDisplayName --- index.bs | 9 ++++++--- 1 file changed, 6 insertions(+), 3 deletions(-) diff --git a/index.bs b/index.bs index 6b5ccfd0f..a6c246330 100644 --- a/index.bs +++ b/index.bs @@ -6794,9 +6794,12 @@ This [=client extension|client=] [=registration extension=] and [=authentication : Client extension processing -:: Set {{CredentialPropertiesOutput/rk}} to the value of the |requireResidentKey| parameter that was used in the - invocation of the [=authenticatorMakeCredential=] - operation. +:: 1. If processed during a [=registration ceremony=]: + 1. Set {{CredentialPropertiesOutput/rk}} to the value of the |requireResidentKey| parameter that was used in the + invocation of the [=authenticatorMakeCredential=] + operation. + 1. Set {{CredentialPropertiesOutput/authenticatorDisplayName}} as described in its definition, using some client-specific procedure. + If no suitable value is found, let {{CredentialPropertiesOutput/authenticatorDisplayName}} be undefined. : Client extension output ::