From e2ab213df8a99fc976cea08dbde42bfcf6851f3c Mon Sep 17 00:00:00 2001 From: Emil Lundberg Date: Mon, 30 Sep 2024 15:44:20 +0200 Subject: [PATCH 1/2] Add aliased link texts for "human palatability" --- index.bs | 18 +++++++++--------- 1 file changed, 9 insertions(+), 9 deletions(-) diff --git a/index.bs b/index.bs index 0db3e9d0a..0ef70503c 100644 --- a/index.bs +++ b/index.bs @@ -1179,7 +1179,7 @@ BCP 14 [[!RFC2119]] [[!RFC8174]] when, and only when, they appear in all capital enables the [=[RP]=] to re-verify the [=attestation signature=] at a later time. : authenticatorDisplayName - :: A [=human palatability|human-palatable=] description of the [=public key credential source=]. + :: A [=human-palatable=] description of the [=public key credential source=]. If used, the [=[RP]=] SHOULD use this to describe the [=credential record=] in the user's account settings. The [=[RP]=] SHOULD allow the user to choose this value, and MAY allow the user to modify it at will. @@ -1211,8 +1211,8 @@ BCP 14 [[!RFC2119]] [[!RFC8174]] when, and only when, they appear in all capital for [=single-device credentials=]. For [=multi-device credentials=], the generating authenticator may or may not be the same as the current [=managing authenticator=] participating in a given [=authentication=] operation. -: Human Palatability -:: An identifier that is [=human palatability|human-palatable=] is intended to be rememberable and reproducible by typical human +: Human Palatability +:: An identifier that is [=human-palatable=] is intended to be rememberable and reproducible by typical human users, in contrast to identifiers that are, for example, randomly generated sequences of bits [[EduPersonObjectClassSpec]]. : Non-Discoverable Credential @@ -3591,9 +3591,9 @@ associated with or [=scoped=] to, respectively.
: name - :: A [=human palatability|human-palatable=] name for the entity. Its function depends on what the {{PublicKeyCredentialEntity}} represents: + :: A [=human-palatable=] name for the entity. Its function depends on what the {{PublicKeyCredentialEntity}} represents: - - When inherited by {{PublicKeyCredentialRpEntity}} it is a [=human palatability|human-palatable=] identifier for the [=[RP]=], intended only + - When inherited by {{PublicKeyCredentialRpEntity}} it is a [=human-palatable=] identifier for the [=[RP]=], intended only for display. For example, "ACME Corporation", "Wonderful Widgets, Inc." or "ОАО Примертех". - [=[RPS]=] SHOULD perform enforcement, as prescribed in Section 2.3 of @@ -3608,7 +3608,7 @@ associated with or [=scoped=] to, respectively. including the value as a parameter of the [=authenticatorMakeCredential=] operation. - When inherited by {{PublicKeyCredentialUserEntity}}, it is a - [=human palatability|human-palatable=] identifier for a [=user account=]. This + [=human-palatable=] identifier for a [=user account=]. This identifier is the primary value displayed to users by [=Clients=] to help users understand with which [=user account=] a credential is associated. @@ -3684,9 +3684,9 @@ credential. with more than one [=user account=] at the [=[RP]=]. : displayName - :: A [=human palatability|human-palatable=] name for the [=user account=], intended only for + :: A [=human-palatable=] name for the [=user account=], intended only for display. The [=[RP]=] SHOULD let the user choose this, and SHOULD NOT restrict the choice - more than necessary. If no suitable or [=human palatability|human-palatable=] name is + more than necessary. If no suitable or [=human-palatable=] name is available, the [=[RP]=] SHOULD set this value to an empty string. Examples of suitable values for this identifier include, "Alex Müller", "Alex Müller (ACME Co.)" or "田中倫". @@ -7372,7 +7372,7 @@ This [=client extension|client=] [=registration extension=] and [=authentication Note: some [=authenticators=] create [=discoverable credentials=] even when not requested by the [=client platform=]. Because of this, [=client platforms=] may be forced to omit the {{rk}} property because they lack the assurance to be able to set it to [FALSE]. [=[RPS]=] should assume that, if the `credProps` extension is supported, then [=client platforms=] will endeavour to populate the {{rk}} property. Therefore a missing {{rk}} indicates that the created credential is most likely a [=non-discoverable credential=]. : authenticatorDisplayName - :: This OPTIONAL property is a [=human palatability|human-palatable=] description of the credential's [=managing authenticator=], + :: This OPTIONAL property is a [=human-palatable=] description of the credential's [=managing authenticator=], chosen by the user. The [=client=] MUST allow the user to choose this value. From 8b137245bcf3667fd2909063eda0411eced38a5c Mon Sep 17 00:00:00 2001 From: Emil Lundberg Date: Mon, 30 Sep 2024 15:56:30 +0200 Subject: [PATCH 2/2] Add [credential record/authenticatorDisplayName] handling to RP operations --- index.bs | 15 ++++++++++++++- 1 file changed, 14 insertions(+), 1 deletion(-) diff --git a/index.bs b/index.bs index 0ef70503c..39264911f 100644 --- a/index.bs +++ b/index.bs @@ -1187,7 +1187,7 @@ BCP 14 [[!RFC2119]] [[!RFC8174]] when, and only when, they appear in all capital The [=credProps|Credential Properties Extension=] defines the [=credential property=] {{CredentialPropertiesOutput/authenticatorDisplayName}} which, when available, MAY be offered as a default for this value. - The [=[RP]=] MAY also derive a default value from the authenticator's [=attestation statement=], if any. + The [=[RP]=] MAY alternatively derive a default value from the authenticator's [=attestation statement=], if any. [=WebAuthn extensions=] MAY define additional [=struct/items=] needed to process the extension. @@ -6076,6 +6076,14 @@ a numbered step. If outdented, it (today) is rendered as a bullet in the midst o : [$credential record/attestationClientDataJSON$] :: |response|.{{AuthenticatorResponse/clientDataJSON}}. + + : [$credential record/authenticatorDisplayName$] + :: A [=human-palatable=] description of the [=public key credential source=]. + This SHOULD be chosen by the user. + + If |clientExtensionResults|.{{AuthenticationExtensionsClientOutputs/credProps}}.{{CredentialPropertiesOutput/authenticatorDisplayName}} is present, + then its value MAY be offered as a default for this value. + The [=[RP]=] MAY alternatively derive a default value from the authenticator's [=attestation statement=], if any. @@ -6260,6 +6268,11 @@ a numbered step. If outdented, it (today) is rendered as a bullet in the midst o update it to the value of the [=authData/flags/UV=] bit in the [=flags=] in |authData|. This change SHOULD require authorization by an additional [=authentication factor=] equivalent to WebAuthn [=user verification=]; if not authorized, skip this step. + 1. If |credentialRecord|.[$credential record/authenticatorDisplayName$] is used, + and |clientExtensionResults|.{{AuthenticationExtensionsClientOutputs/credProps}}.{{CredentialPropertiesOutput/authenticatorDisplayName}} + is present and not equal to |credentialRecord|.[$credential record/authenticatorDisplayName$], + then OPTIONALLY offer the user to update |credentialRecord|.[$credential record/authenticatorDisplayName$] + to the value of |clientExtensionResults|.{{AuthenticationExtensionsClientOutputs/credProps}}.{{CredentialPropertiesOutput/authenticatorDisplayName}}. If the [=[RP]=] performs additional security checks beyond these WebAuthn [=authentication ceremony=] steps, the above state updates SHOULD be deferred to after those additional checks are completed successfully.