New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Initial proposal for modifications to resident key credential requirements #1191
Conversation
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thanks for working on this, Shane! It looks pretty good overall to me, but could use some polish.
…identKeyRequirement enum definitions.
Rewrite resident key option handling as switch statements
thanks for submitting this @sbweeden! I'm at IETF this week, wont be able to submit a review until next week... |
This requires modifications according to latest discussion in the issue. See #991 (comment) |
…have changed the set of permitted ResidentKeyRequirement values back to one of discouraged, preferred, required.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM, but I still think there is value in an "indifferent" option - not instead of "discouraged", but in addition to it. Even if there turns out to be no practical difference in how clients implement it, it expresses a different RP intent.
@akshayku talked earlier about having the client retry the authenticator invocation with different |
@emlun That seems too prescriptive to me. Platforms/Browsers handling of these parameters to CTAP parameters is complex and I would not go over prescribing it. I would concentrate on defining the intent from the RP's perspective correctly and its use cases. |
Hi @sbweeden -- please see: sbweeden#3 |
build on credProps extension definition: formalize authnr/client processing
I merged sbweeden#3 however made two small subsequent changes. The first was to fix a compile error related to indenting, and the other a small grammatical error of "a" vs "an" before a word starting with a vowel. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Overall looks good to me. Have some questions about this extension..
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Shane, are you proposing an extension to be implemented by external authenticators?? And Why?
…onent of the new credProps exception.
Ready for re-review following removal of authenticator extension component of the credProps extension per WG call on May 1, 2019. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
this LGTM overall, thx @sbweeden! there's one thing in the extension's IANA registration we need to fix.
Thanks for latest review @emlun and @equalsJeffH. I have addressed both the pick-ups, and found one additional dfn reference error which I fixed as well. |
With the changes @agl proposes in fido-alliance/fido-2-specs#661 it looks to me like we actually could support |
Yep, looks good. changing 'credential' to 'pk cred source' is good catch, thx :)
you mean add "forbidden" as a fourth value of ResidentKeyRequirement ? |
Yes. |
I think we should merge this and separately consider possibly adding "forbidden" as a fourth value of ResidentKeyRequirement. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thanks @sbweeden!
…ident key credential requirements (#1191)
…ident key credential requirements (#1191)
Attempts to fix #991 #1149
Outstanding issues/questions:
In the user-agent processing algorithm described in section 5.1.3, please check if the modifications in step 20 are possible w.r.t. CTAP. Specifically is it possible for a user-agent (client) to determine in an authenticator is capable of resident (or non-resident) key credentials?
In the IANA considerations section (11.2) I have added the credProps extension. How do I really register this with WebAuthn-Registries?
Preview | Diff