Add authenticator attachment used during authentication to assertion payload #1668
Conversation
* add transport docs * Update index.bs Co-authored-by: Nina Satragno <[email protected]> * Update index.bs Co-authored-by: Nina Satragno <[email protected]> * Update index.bs Co-authored-by: Nina Satragno <[email protected]> * Update index.bs Co-authored-by: Nina Satragno <[email protected]> Co-authored-by: zakaria ridouh <[email protected]> Co-authored-by: Nina Satragno <[email protected]>
|
This field isn't part of the signed collected client data, so can't this be tampered with during the response? This may lead to failse assumptions of security/validity of this data. There is already a signed extension for this purpose, so how is this an improvement? |
The user-agent could "tamper" with it, yes. As with several other fields (including the transport list in the registration).
There's no extension defined for this but, even if we defined one, it wouldn't have any support from authenticators. An extension isn't needed for the motivating use here, which is allow a website to figure out whether to offer to register a platform authenticator. |
If this is the case, it should be called a transportSelectionHint to make it extremely clear that it is not an enforceable security property. There have already been multiple instances of RP's implementing webauthn that have incorrectly assumed that criteria are security properties rather than UX hints, and I think we should improve this in the language we use for these values. |
I don't think we can save such RPs. We can't rename everything that exists and, if we start calling things transportAsReportedByTheBrowser then it suggests that the other values are coming from the authenticator! |
|
Another point from the above: might RPs do silly things with this like decided that assertions over USB are ok but NFC aren't? If we're saying that the point is to determine platform vs not, might be spell this |
This patch adds the transport used during authentication to the assertion payload returned from the browser to the relying party following a successful authentication. Spec change: w3c/webauthn#1668 This feature is gated behind #enable-web-authentication-assertion-transport Bug: 1243721 Change-Id: I90378d5a4b454f4180d020ed1e5c8fc63f2bf2d2 Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/3124587 Auto-Submit: zakaria ridouh <[email protected]> Reviewed-by: Yutaka Hirano <[email protected]> Reviewed-by: Ken Buchanan <[email protected]> Reviewed-by: Rouslan Solomakhin <[email protected]> Reviewed-by: Nina Satragno <[email protected]> Reviewed-by: Liquan (Max) Gu <[email protected]> Commit-Queue: Ken Buchanan <[email protected]> Commit-Queue: zakaria ridouh <[email protected]> Cr-Commit-Position: refs/heads/main@{#921727}
z11h
changed the title
z11h
changed the title
* transport to platform attachment * pt2 * add section * move authenticator attachment to public key credential * slight changes * slight changes Co-authored-by: zakaria ridouh <[email protected]>
Co-authored-by: Nina Satragno <[email protected]> Co-authored-by: Emil Lundberg <[email protected]>
Co-authored-by: Nina Satragno <[email protected]>
|
on 2021-09-22 call: |
There was a problem hiding this comment.
I've reviewed and caught one link mistake I made (apologies). Also, these changes link to [[#sctn-attachments-from-transports]] and assume the suggestions I made in PR #1670 are accepted , but it seems @emlun hasn't had a chance to review that as yet.
So we can fix the link below, and then either (a) wait for @emlun to review #1670 and proceed per however that works out, or (b) merge this PR and then be prepared to revise things as necessary depending on how #1670 shakes out.
What do folks wish to do?
Co-authored-by: =JeffH <[email protected]>
|
@equalsJeffH: Since @emlun is in a different time zone, I'm fine waiting until he has a look at your comments on #1670 and we can sit on this PR until that PR shakes out and we'll go ahead and merge this, to prevent any dead links. |
|
Thanks for your patience everyone! #1670 has now evolved to be mutually dependent on this PR, so I think it makes more sense to merge it into here instead of into #1621. I couldn't re-target the PR base branch though, because this branch is in https://github.com/z11h/webauthn, so I instead replaced #1670 with z11h#3. |
* Describe how to determine authenticator attachment from transports * Accept @equalsJeffH's rewrite of #sctn-attachment-from-transports Co-authored-by: =JeffH <[email protected]> Co-authored-by: =JeffH <[email protected]>
|
@emlun, merged your branch onto my fork. all comments have been resolved, PR is ready for another look :) |
There was a problem hiding this comment.
This is looking good @z11h & @emlun, thanks for merging PR #1670 into here. Upon review it seems having the new #sctn-attachments-from-transports section embedded in section 5.2, which is about authenticator responses, is odd because it describes client platform behavior that sets an attribute on the PublicKeyCredential interface. I suggest we move the new #sctn-attachments-from-transports section up into section 5.1, say as a peer to and after sctn-isUserVerifyingPlatformAuthenticatorAvailable (it'd now have only three hashs in its title).
WDYT?
Also, I suggest we use the existing term "authenticator transport" rather than introducing a new term "credential transport" (suggestions and a nit fix below).
Plus, we ought to have at least @nsatragno review the normative language we're adding here.
Co-authored-by: =JeffH <[email protected]>
|
@nsatragno resolved. @equalsJeffH great comments, I've reordered the sections, and agree that authenticator transport is a more fitting term. |
There was a problem hiding this comment.
Sorry for the back-and-forth, but seeing it in its new context I don't think the new section (#sctn-attachments-from-transports) makes much sense anymore - the client (unlike an RP) doesn't need to "determine the attachment from the transports", it already knows the attachment. So rewriting the section for this new purpose, the "algorithm" would become something like:
If the authenticator
- is using platform attachment
- set the value of
authenticatorAttachmentto platform.- is using cross-platform attachment,
- set the value of
authenticatorAttachmentto cross-platform.
which seems pretty redundant since the §5.4.5. Authenticator Attachment Enumeration (enum AuthenticatorAttachment) section already defines the same mapping. So I think we can get rid of the new section entirely and just refer back to AuthenticatorAttachment. Here are some suggestions for that.
Co-authored-by: Emil Lundberg <[email protected]>
|
PR updated. :) |
|
Actually, I think this is good enough for now (thanks for your patience @z11h & @nsatragno!) as of commit 6951078 and we ought to land this as-is. If we wish to further clarify detail-level things that client devs need to be aware of (e.g., underlying platform not supplying transport info, so it's reported as null (as discussed briefly on today's webauthn call)), we ought to submit an issue and deal with it separately. |
…payload (#1668) SHA: 5227874 Reason: push, by @nsatragno Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>
…payload (w3c#1668) SHA: 5227874 Reason: push, by @nsatragno Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>
This spec change adds the authenticator attachments (platform/cross-platform) used during authentication to the assertion payload returned from the browser to the RP.
Fixes: #1666
Also discussed in #1637
Preview | Diff