From 9e5820850ad5738af4adc7c9bbe1bd8e59dae4a3 Mon Sep 17 00:00:00 2001 From: rlin1 Date: Mon, 12 Feb 2024 13:28:33 +0100 Subject: [PATCH 1/7] user verification caching etension added - to model behavior of some passkey providers --- index.bs | 78 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 78 insertions(+) diff --git a/index.bs b/index.bs index 4178af162..46064bde8 100644 --- a/index.bs +++ b/index.bs @@ -7580,6 +7580,68 @@ To Create a new supplemental public key record, perform t [=set/append=] this [=supplemental public key record=] to |credentialRecord|.[$credential record/supplementalPubKeys$]. +### User verification caching extension (userVerificationCaching) ### {#sctn-user-verification-caching-extension} + +In some cases it is good enough for the [=RP=] to know whether + the user was verified by the authenticator "recently". + This extension allows the [=RP=] to specify such [=user verification=] + caching time, i.e. the time for which the + [=user verification=] status can be "cached" by the [=authenticator=]. + +For example: Do not ask the user for a fresh [=user verification=] for sign-in + if the user was verified by this authenticator within the past 300 seconds. + +#### Extension Definition #### {#sctn-user-verification-cacing-extension-definition} + +: Extension identifier +:: `userVerificationCaching` + +: Operation applicability +:: [=authentication extension|authentication=] + +: Client extension input +:: The maximum [=user verification=] caching time denotes the maximum acceptable number of seconds elapsed since the last time the user was successfully verified. + + partial dictionary AuthenticationExtensionsClientInputs { + unsigned short maxUVC; + }; + + +: Client extension processing +:: None, except creating the [=authenticator extension input=] from the client extension input. + +: Client extension output +:: Returns a JSON object denoting the maximum acceptable number of seconds elapsed since the last time the user was successfully verified as returned by the [=authenticator=]. + + partial dictionary AuthenticationExtensionsClientOutputs { + unsigned short maxUVC; + }; + + +: Authenticator extension input +:: The maxUVC time in seconds, encoded in CBOR. + + ``` + $$extensionInput //= ( + maxUVC: uint .size 2 + ) + ``` + +: Authenticator extension processing +:: When user verification is requested, the [=authenticator=] triggers user verification only if more seconds have elapsed since the last time the user was verified + than indicated by the maxUVC extension. + +: Authenticator extension output +:: If no fresh user verification needed to be triggered triggered, the authenticator reports the maxUVC time back to the [=RP=] to ensure the [=RP=] is aware + that no fresh user verification was triggered. + + ``` + $$extensionOutput //= ( + maxUVC: uint .size 2 + ) + ``` + + # User Agent Automation # {#sctn-automation} For the purposes of user agent automation and [=web application=] testing, this document defines a number of [[WebDriver]] [=extension commands=]. @@ -9189,6 +9251,22 @@ for their contributions as our W3C Team Contacts. "date": "June 2019" }, + "RFC9052": { + "authors": ["Jim Schaad"], + "title": "CBOR Object Signing and Encryption (COSE): Structures and Process", + "href": "https://datatracker.ietf.org/doc/rfc9052/", + "status": "IETF Internet Standard", + "date": "August 2022" + }, + + "RFC9053": { + "authors": ["Jim Schaad"], + "title": "CBOR Object Signing and Encryption (COSE): Initial Algorithms", + "href": "https://datatracker.ietf.org/doc/rfc9053/", + "status": "RFC Informational", + "date": "August 2022" + }, + "ISOBiometricVocabulary": { "authors": ["ISO/IEC JTC1/SC37"], "title": "Information technology — Vocabulary — Biometrics", From d2ce9ce420364cd8341d56ab451ec05a63333eb6 Mon Sep 17 00:00:00 2001 From: rlin1 Date: Thu, 29 Feb 2024 12:56:18 +0100 Subject: [PATCH 2/7] added suggested changes --- index.bs | 31 +++++++++++++------------------ 1 file changed, 13 insertions(+), 18 deletions(-) diff --git a/index.bs b/index.bs index 46064bde8..10b1c5149 100644 --- a/index.bs +++ b/index.bs @@ -7582,14 +7582,11 @@ To Create a new supplemental public key record, perform t ### User verification caching extension (userVerificationCaching) ### {#sctn-user-verification-caching-extension} -In some cases it is good enough for the [=RP=] to know whether - the user was verified by the authenticator "recently". - This extension allows the [=RP=] to specify such [=user verification=] - caching time, i.e. the time for which the - [=user verification=] status can be "cached" by the [=authenticator=]. +In some cases it is good enough for the [=RP=] to know whether the user was verified by the authenticator "recently". -For example: Do not ask the user for a fresh [=user verification=] for sign-in - if the user was verified by this authenticator within the past 300 seconds. +This extension allows the [=RP=] to specify such [=user verification=] caching time, i.e. the time for which the [=user verification=] status can be "cached" by the [=authenticator=]. + +For example: Do not ask the user for a fresh [=user verification=] for sign-in if the user was verified by this authenticator within the past 300 seconds. #### Extension Definition #### {#sctn-user-verification-cacing-extension-definition} @@ -7600,10 +7597,10 @@ For example: Do not ask the user for a fresh [=user verification=] for sign-in :: [=authentication extension|authentication=] : Client extension input -:: The maximum [=user verification=] caching time denotes the maximum acceptable number of seconds elapsed since the last time the user was successfully verified. +:: The maxTimeSinceLastUV denotes the maximum acceptable number of milliseconds elapsed since the last time the user was successfully verified. partial dictionary AuthenticationExtensionsClientInputs { - unsigned short maxUVC; + uint maxTimeSinceLastUV; }; @@ -7611,33 +7608,31 @@ For example: Do not ask the user for a fresh [=user verification=] for sign-in :: None, except creating the [=authenticator extension input=] from the client extension input. : Client extension output -:: Returns a JSON object denoting the maximum acceptable number of seconds elapsed since the last time the user was successfully verified as returned by the [=authenticator=]. +:: Returns the number of milliseconds elapsed since the last time the user was successfully verified as returned by the [=authenticator=]. partial dictionary AuthenticationExtensionsClientOutputs { - unsigned short maxUVC; + uint timeSinceLastUV; }; : Authenticator extension input -:: The maxUVC time in seconds, encoded in CBOR. +:: The maximum acceptable time in milliseconds elapsed since last user verification, encoded in CBOR. ``` $$extensionInput //= ( - maxUVC: uint .size 2 + mtslUV: uint .size 4 ) ``` : Authenticator extension processing -:: When user verification is requested, the [=authenticator=] triggers user verification only if more seconds have elapsed since the last time the user was verified - than indicated by the maxUVC extension. +:: When user verification is requested, the [=authenticator=] triggers user verification only if more milliseconds have elapsed since the last time the user was verified than indicated by the maxTimeSinceLastUV value in the extension. : Authenticator extension output -:: If no fresh user verification needed to be triggered triggered, the authenticator reports the maxUVC time back to the [=RP=] to ensure the [=RP=] is aware - that no fresh user verification was triggered. +:: If no fresh user verification needed to be triggered triggered, the authenticator reports the time last last user verification time back to the [=RP=] to ensure the [=RP=] is aware that no fresh user verification was triggered. It is up to the authenticator to decide whether to return the real elapsed time, or a "rounded" value. If user verification was requested, this value SHALL not exceed the value originally provided in the extension input. ``` $$extensionOutput //= ( - maxUVC: uint .size 2 + tslUV: uint .size 4 ) ``` From 9b431ce6bdcafe00075010f4a510baf21ca7e1b6 Mon Sep 17 00:00:00 2001 From: Emil Lundberg Date: Tue, 19 Mar 2024 22:53:50 +0100 Subject: [PATCH 3/7] Fix WebIDL uint type --- index.bs | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/index.bs b/index.bs index 10b1c5149..27b4a0b9e 100644 --- a/index.bs +++ b/index.bs @@ -7600,7 +7600,7 @@ For example: Do not ask the user for a fresh [=user verification=] for sign-in i :: The maxTimeSinceLastUV denotes the maximum acceptable number of milliseconds elapsed since the last time the user was successfully verified. partial dictionary AuthenticationExtensionsClientInputs { - uint maxTimeSinceLastUV; + unsigned long long maxTimeSinceLastUV; }; @@ -7611,7 +7611,7 @@ For example: Do not ask the user for a fresh [=user verification=] for sign-in i :: Returns the number of milliseconds elapsed since the last time the user was successfully verified as returned by the [=authenticator=]. partial dictionary AuthenticationExtensionsClientOutputs { - uint timeSinceLastUV; + unsigned long long timeSinceLastUV; }; From 907447547ba58906728b7be44f3ddefc8e011c66 Mon Sep 17 00:00:00 2001 From: Emil Lundberg Date: Tue, 19 Mar 2024 22:53:24 +0100 Subject: [PATCH 4/7] Use [RP] macro --- index.bs | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/index.bs b/index.bs index 27b4a0b9e..ae93f4f88 100644 --- a/index.bs +++ b/index.bs @@ -7582,9 +7582,9 @@ To Create a new supplemental public key record, perform t ### User verification caching extension (userVerificationCaching) ### {#sctn-user-verification-caching-extension} -In some cases it is good enough for the [=RP=] to know whether the user was verified by the authenticator "recently". +In some cases it is good enough for the [=[RP]=] to know whether the user was verified by the authenticator "recently". -This extension allows the [=RP=] to specify such [=user verification=] caching time, i.e. the time for which the [=user verification=] status can be "cached" by the [=authenticator=]. +This extension allows the [=[RP]=] to specify such [=user verification=] caching time, i.e. the time for which the [=user verification=] status can be "cached" by the [=authenticator=]. For example: Do not ask the user for a fresh [=user verification=] for sign-in if the user was verified by this authenticator within the past 300 seconds. @@ -7628,7 +7628,7 @@ For example: Do not ask the user for a fresh [=user verification=] for sign-in i :: When user verification is requested, the [=authenticator=] triggers user verification only if more milliseconds have elapsed since the last time the user was verified than indicated by the maxTimeSinceLastUV value in the extension. : Authenticator extension output -:: If no fresh user verification needed to be triggered triggered, the authenticator reports the time last last user verification time back to the [=RP=] to ensure the [=RP=] is aware that no fresh user verification was triggered. It is up to the authenticator to decide whether to return the real elapsed time, or a "rounded" value. If user verification was requested, this value SHALL not exceed the value originally provided in the extension input. +:: If no fresh user verification needed to be triggered triggered, the authenticator reports the time last last user verification time back to the [=[RP]=] to ensure the [=[RP]=] is aware that no fresh user verification was triggered. It is up to the authenticator to decide whether to return the real elapsed time, or a "rounded" value. If user verification was requested, this value SHALL not exceed the value originally provided in the extension input. ``` $$extensionOutput //= ( From c2c3deb56c15420bba2707135231f7139b51cb00 Mon Sep 17 00:00:00 2001 From: Emil Lundberg Date: Tue, 19 Mar 2024 22:54:00 +0100 Subject: [PATCH 5/7] Remove unnecessary subsection --- index.bs | 2 -- 1 file changed, 2 deletions(-) diff --git a/index.bs b/index.bs index ae93f4f88..3383fc501 100644 --- a/index.bs +++ b/index.bs @@ -7588,8 +7588,6 @@ This extension allows the [=[RP]=] to specify such [=user verification=] caching For example: Do not ask the user for a fresh [=user verification=] for sign-in if the user was verified by this authenticator within the past 300 seconds. -#### Extension Definition #### {#sctn-user-verification-cacing-extension-definition} - : Extension identifier :: `userVerificationCaching` From a45a2b63d78c12c068b5aa0723d504466a76473c Mon Sep 17 00:00:00 2001 From: Emil Lundberg Date: Tue, 19 Mar 2024 22:54:09 +0100 Subject: [PATCH 6/7] Remove unnecessary bibliography additions --- index.bs | 16 ---------------- 1 file changed, 16 deletions(-) diff --git a/index.bs b/index.bs index 3383fc501..54d9d7232 100644 --- a/index.bs +++ b/index.bs @@ -9244,22 +9244,6 @@ for their contributions as our W3C Team Contacts. "date": "June 2019" }, - "RFC9052": { - "authors": ["Jim Schaad"], - "title": "CBOR Object Signing and Encryption (COSE): Structures and Process", - "href": "https://datatracker.ietf.org/doc/rfc9052/", - "status": "IETF Internet Standard", - "date": "August 2022" - }, - - "RFC9053": { - "authors": ["Jim Schaad"], - "title": "CBOR Object Signing and Encryption (COSE): Initial Algorithms", - "href": "https://datatracker.ietf.org/doc/rfc9053/", - "status": "RFC Informational", - "date": "August 2022" - }, - "ISOBiometricVocabulary": { "authors": ["ISO/IEC JTC1/SC37"], "title": "Information technology — Vocabulary — Biometrics", From f3428366216995b4ec0d3c8c3c8932a697e2b75a Mon Sep 17 00:00:00 2001 From: Emil Lundberg Date: Tue, 19 Mar 2024 23:00:43 +0100 Subject: [PATCH 7/7] Remove unused --- index.bs | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/index.bs b/index.bs index 54d9d7232..b6afc8b73 100644 --- a/index.bs +++ b/index.bs @@ -7580,7 +7580,7 @@ To Create a new supplemental public key record, perform t [=set/append=] this [=supplemental public key record=] to |credentialRecord|.[$credential record/supplementalPubKeys$]. -### User verification caching extension (userVerificationCaching) ### {#sctn-user-verification-caching-extension} +### User verification caching extension (userVerificationCaching) ### {#sctn-user-verification-caching-extension} In some cases it is good enough for the [=[RP]=] to know whether the user was verified by the authenticator "recently".