New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Add registration/authentication extensions for cloud-assisted BLE #909
Conversation
@kpaulh Will review @ the FIDO Plenary |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I believe that this extension does belong in WebAuthn, although it would be OK for it to be in CTAP instead. In either case, it will end up in the IANA "Extension Identifiers" registry - so the result would be the same.
The creation of the "RegistrationExtensions..." identifiers reflects a misunderstanding. The word "Authentication" in the "AuthenticationExtensions..." identifiers refers to "Web Authentication" - not a particular method. The existing identifiers apply and should be used.
index.bs
Outdated
}; | ||
</xmp> | ||
|
||
This is a dictionary containing the [=client extension output=] values for zero or more WebAuthn extensions, as defined in [[#extensions]]. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Delete RegistrationExtensionsClientOutputs. Use AuthenticationExtensionsClientOutputs instead.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Done! sorry for the confusion.
index.bs
Outdated
}; | ||
</xmp> | ||
|
||
This is a dictionary containing the [=client extension input=] values for zero or more WebAuthn extensions, as defined in [[#extensions]]. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Delete RegistrationExtensionsClientInputs. Use AuthenticationExtensionsClientInputs instead.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Done
index.bs
Outdated
typedef record<DOMString, DOMString> RegistrationExtensionsAuthenticatorInputs; | ||
</xmp> | ||
|
||
This is a dictionary containing the [=authenticator extension input=] values for zero or more WebAuthn extensions, as defined in [[#extensions]]. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Delete RegistrationExtensionsAuthenticatorOutputs. Use AuthenticationExtensionsAuthenticatorOutputs instead.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Done
index.bs
Outdated
required BufferSource rpPublicKey; | ||
}; | ||
|
||
partial dictionary RegistrationExtensionsClientInputs { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Registration -> Authentication
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
and Done
@jcjones @akshayku @equalsJeffH Please review |
Just to note wrt
Just to note, presently these extension definitions are also contained in https://github.com/fido-alliance/fido-2-specs/pull/529/ [ which is for the CTAP spec ]. If we decide to land them here in the WebAuthn spec, we will need to update https://github.com/fido-alliance/fido-2-specs/pull/529/ such that they (specifically only the extension definitions) are elided (from the latter CTAP-specific PR). |
|
||
During <code>authenticatorGetAssertion()</code>, the RP provides the | ||
client with the necessary session data via the following extension. | ||
For details refer to Sections [#cable-eid] and [#cable-encryption]. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I don't think these anchors exist?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM, thanks Kim!!
We will leave open until the CTAP work is implemented and make sure this works with passwordless world |
}; | ||
</xmp> | ||
|
||
Versions is a list of protocol versions supported by the relying party. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Could you elaborate the version
? What value is supported here?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
For now only "1", but the field exists so that we can make changes/fixes to the protocol if needed.
|
||
Versions is a list of protocol versions supported by the relying party. | ||
|
||
The rpPublicKey is an ECDH P-256 public key. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
What format is used for encoding rpPublicKey
?
|
||
The clientEid is a 16-byte EID advertised by the Client. | ||
|
||
The authenticatorEid is a 16-byte EID advertised by the Authenticator. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
How does the RP retrieve the EID advertised by the Authenticator?
It seems Chrome implementation does. |
we are closing this because we are hoping it will not be needed. |
at 2020-02-26 meeting, we decided to close this because we are sure it wont be needed. |
@equalsJeffH What is the standard for this then? |
Is this replaced by Bluetooth Smart / Bluetooth Low Energy Technology ? |
This is a counterpart to https://github.com/fido-alliance/fido-2-specs/pull/529/, the FIDO2 cloud-assisted BLE PR. We're not quite sure where the extension should live - FIDO2 or WebAuthN. We're leaning towards WebAuthN, since it is relevant to RPs, but hoping others have some thoughts.
Also, this PR currently has references to sections in the FIDO2 spec that I can either replace with complete explanations or update links to once they're available in the FIDO spec. We figured we would get eyes on it now and clean up along the way.
Note that since this is the first registration extension, this PR also adds RegistrationExtensionsClientInputs/Outputs.
Preview | Diff