New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Pass through other assertion formats #1232
Conversation
@@ -1672,6 +1672,9 @@ When this method is invoked, the user agent MUST execute the following algorithm | |||
: <code><dfn for="assertionCreationData">authenticatorDataResult</dfn></code> | |||
:: whose value is the bytes of the [=authenticator data=] returned by the [=authenticator=]. | |||
|
|||
Note: Web Browsers shall tolerate assertion formats that differ from the one described |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
If “shall” is intended to be binding, should it be “SHALL”?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I am happy to make that change (plus remove the "note")
Could we return the UAF assertion in an extension that is included in a well-formed FIDO2 signature assertion? |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I am strongly against doing this, as for it to work, it would require updates to all WebAuthn clients. It would be far better for the ecosystem to instead update any phones speaking UAF to be able to issue FIDO2 assertions, in which case, the existing ecosystem will continue working. Please close this PR with no action.
From call of 2019-06-05: Rolf clarified that registration would be handled out-of-band. I, for Chrome, said that arbitrary Authenticator Data would be very problematic. Akshay, I think, said something similar. I suggested putting the necessary information in an extension and having the RP reconstruct the signed message from that. There was worry about this being a channel for arbitrary data though the browser. Several such channels already exist, but people aren't thrilled about adding more. J. C. queries how a reader of the spec would be able to figure out the necessary supporting documents to be able to use this. (I.e. the UAF specs.) John asks about UAF extensions themselves, which currently aren't defined for WebAuthn and so couldn't be passed in. Mike notes that no UAF authenticators work with WebAuthn today, so new code will be needed. But if a change is needed why not make these authenticators real CTAP2 devices? Rolf asserts that parts of this ecosystem are pretty hard to change, but adding an interop layer would be much easier. John, J. C., and Mike ask about the number of devices that would partake in order to judge the value. |
My more basic question is who really needs this? As I understand it all Android phones 7+ have Webauthn platform authenticators now and Google is in the process of adding CTAP over BLE and caBLE so that they can be remote authenticators. So current Android phones don't really seem to fit this description. On iOS apple may take a bit longer to roll out their platform authenticator, so this might be a target. However, all Fido authenticators on iOS are in software not in a ROE other than using the keychain. Those could just as easily be updated to Fido2 native authenticators rather than doing this wrapping. I am left to conclude that we are talking about a small number of phones that may have UAF built in perhaps on Samsung? But those would have to be pre android 7. Anything later and the android platform is going to be doing Fido over BLE. I don't even know if a non core OS app could also do Fido over BLE at the same time without breaking things. This seems a lot of work for potentially a small to non-existent number of devices. Can someone point to a real example of a phone that would do this? John B. |
Thinking more about this, may be upgrading such implementations to do CTAP2 is more achievable. Changing webauthn and faking the authdata, passing info via an extension, does not seems right. |
No update today, so I untied it from milestone L2-WD-02 |
As per 3/3/21 Meeting: This pull request would need to be heavily updated to include further explanation of what's being proposed, justification of its purpose , and amendments to sections of the spec (such as those regarding clients and authentication servers) that would be affected by this change. |
Close #465
Preview | Diff