Comments (5)
@agl Can you confirm that step 6 is redundant now and can be deleted?
It's step 7 that should be deleted, no? But yes, sorry, I got lost there and it's clearly redundant. I'll do a PR.
from webauthn.
Good catch, thanks! I think you're right that step 6 is redundant. It used to be the "else" part of an "if-else" conditional, and the cases now listed in step 5 used to apply only within the "if" branch of that, so step 6 was needed for the "else" branch. But the "if-else" branching was eliminated in commit b92973ce
, so step 6 should not be needed anymore.
from webauthn.
@agl Can you confirm that step 6 is redundant now and can be deleted?
from webauthn.
While we are in this place of the spec, a couple of things about this paragraph
Otherwise there is some form of error: we recieved a known dpk value, but one or more of the accompanying aaguid, scope, or fmt values did not match what the Relying Party has stored along with that dpk value. Terminate these verification steps.
- "or fmt" seems to be wrong here, because matchedDpkRecords was built using only aaguid, dpk, and scope for equality. The difference in fmt is covered in the preceding paragraph.
- It is implied here that during the lifetime of the DPK neither aaguid or scope can change. It is beneficial, I think, to state it explicitly somewhere (my apology if it is and I missed it). Otherwise it is reasonable for an RP to assume that after some platform authenticator update (and maybe certification) the aaguid can change for the existing DPK.
from webauthn.
- "or fmt" seems to be wrong here, because matchedDpkRecords was built using only aaguid, dpk, and scope for equality. The difference in fmt is covered in the preceding paragraph.
You're right, the matching and the "Otherwise" description went out of sync in commit 5af393d. I'll add this fix to PR #1858.
2. It is implied here that during the lifetime of the DPK neither aaguid or scope can change. It is beneficial, I think, to state it explicitly somewhere (my apology if it is and I missed it). Otherwise it is reasonable for an RP to assume that after some platform authenticator update (and maybe certification) the aaguid can change for the existing DPK.
I think most would expect that aaguid
won't change since that is the case for top-level credentials, so I don't think that needs to be called out more explicitly than the verification steps make it. I would expect scope
to be an immutable credential property as well, but I could see a case for adding some mention of this in the CDDL comments defining attObjForDevicePublicKey
. But I also think it is unambiguous enough as is. @agl thoughts on this?
from webauthn.
Related Issues (20)
- [Superset] Updating credential metadata and requesting deletion of stale credentials HOT 19
- Extensions should specify partial dictionaries that modify AuthenticationExtensionsClient{Inputs, Outputs}JSON
- The bike shed build is broken with the newest version
- Provide a way for Web Extensions to hook into browser's Passkey autofill UI HOT 4
- Remove the [SameObject] attribute from PublicKeyCredential::authenticatorAttachment HOT 1
- Are notes in webauthn normative or informative? HOT 1
- Ambiguous instructions in the Android Key Attestation Statement Format verification procedure HOT 6
- Spec is not specific enough about order of conditional UI autofill tokens HOT 1
- create() and get() return an algorithm, not a credential HOT 1
- Virtual Authenticator API does not expose a way to set backup-eligible or backup-status flags HOT 9
- Deprecation warning for fido-u2f, apple, and android-safetynet? HOT 6
- > HOT 1
- Inconsistent Passkey Authentication in Google Chrome HOT 5
- rp.name, user.name and user.displayName length limit does not state binary encoding HOT 2
- How is an RP to know if a packed attestation root certificate is used for multiple authenticator models? HOT 2
- Wrong type of encrypted content specified for credentialId under "Credential Storage Modality" section HOT 1
- Cambios por abuso HOT 2
- Consider replacing "Github" with "GitHub" HOT 2
- Conditional UI support by WebAuthn WebDriver Extension HOT 2
- Refine JSON serialization to use UTF-8 encoding for `user.id` and `userHandle` HOT 10
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from webauthn.