Closed Regenhardt closed 9 months ago
Hey! Thanks for summarising these thoughts.
1, 2 and 3 has all been more-or-less hashed out in #428 and #427, correct? There may be more work with Id/CredentialId coming, but I have not landed on any decision I fell comfortable with yet.
4 & 5 are things I'd need to look into, but seems something could be done there, at least 5.
6 - We're going to align with spec, because it makes things easier to cross-reference and check what is what over long time periods :)
I'd welcome a PR for 5 and we can discuss it more focused there.
@joegoldman2 It looks like we made good progress on this. Can we close this issue, and move anything left into a new issue?
I updated the original post to try and keep this organized.
2 (Id/CredentialId) could need some more work,
4 (attType/AttestationConveyencePreference) I feel like we talked about somewhere else but I can't find it, and
6 (PublicKeyCredentialType) is basically nothing to do
correct?
Also will these things be part of the 4.0.0 release? I think a tag or project (or whatever Github provides) would be helpful to have a list of things to prioritize for the next release.
GH have milestones, and yes I think this would be good to get in before closing releasing the 4.0 stable.
I would appreciate separate issues for 2 and 4. Could you create them @Regenhardt? Closing this in anticipation of the new issues.
As previously mentioned, with breaking changes coming anyway, we might as well clean up some stuff. So here's things I understood from over here we could change, I'll try to make different points and work within those so I don't get confused too much.
1. StoredCredential.CredType
This directly maps to
AttestationVerificationSuccess.CredType
. If I understand this correctly, it maps to the spec'sattestationFormat
(see https://w3c.github.io/webauthn/#sctn-generating-an-attestation-object), so how about I renameCredType
toAttestationFormat
plus documentation like "Format of the attestation statement, e.g. fido-u2f or android-key" with that link?Update 2024-01-12
Done in #427
2. Id/CredentialId
.Id
is created on attestation, then stored with the new credential, both as.Id
and.Descriptor.Id
-> redundant again?.CredentialId
is created on successful assertion, used to up the counter, literally used a index to find the stored.Descriptor.Id
, TestController also stores it in the.Descriptor.Id
, I'm confident it's the same as.Id
.Was speaks against shoving everything into
.CredentialId
? Tbh. I'm having a hard time finding this one in the spec, it's possible there was something along the lines ofpublic byte[] Id => this.CredentialId;
in there basically but in natural language.If you think this would ok spec-wise, I'll try to make everything use
CredentialId
.Update 2024-01-12
AttestedCredentialData
(lib-input in Attestation/Assertion authenticator responses) hasCredentialId
RegisteredPublicKeyCredential
(lib-output when cred was created / after attestation) hasId
StoredCredential
(dev storage) hasId
VerifyAssertionResult
(lib-output when cred was verified / after assertion) hasCredentialId
All these are assigned to each other, so I guess these should be consolidated.
Update 2024-03-06
Moved to #510.
3. SignCount
The field is called
signCount
in the spec so I guess that's the one we want. An easy answer for once.Update 2024-01-12
Done in #427
4.
attType
/AttestationConveyancePreference
RequestNewCredential
takes a mandatory parameter ofAttestationConveyancePreference
(with a default value ofnone
), so if there is a preference conveyed by the client, it's definitely there. This property is just added to theCredentialCreateOptions
.It also takes extensions, which optionally include
AuthenticationExtensionsDevicePublicKeyInputs
, which have a property calledAttestation
spec'd like this:The extensions are also currently only used to add them to the
CredentialCreateOptions
.We could be restrictive and just remove the redundancy, or we could keep the redundancy because it fits the spec and technically one of them is optional so maybe different use cases. In both cases, documentation would help to understand what's going on.
Also we could make the
AuthenticationExtensionsDevicePublicKeyInputs.Attestation
be of typeAttestationConveyancePreference
too, which would be restrictive on the SHOULD part of the spec again (it may technically be something else, in which case the client is supposed to ignore it).Update 2024-03-06
Moved to #511
5. AuthenticatorSelection/authnSel
I can't find this extension (or the keyword) in the spec, but I did find that the spec's documentation for the non-extension parameter
AuthenticatorSelection
kinda fits the documentation for authnSel extension in the lib, so I guess we do indeed delete this one?Update 2024-01-12
Done in #435
6.
PublicKeyCredentialType
After reading the spec and seeing this enum is indeed called
PublicKeyCredentialType
there, I have mixed feelings here. I disagree with the spec, as I thinkpublic-key
is a type of credential, same aspassword
andfederated
, as explained in Mozilla's MDN:They don't mention the enum at all.
I do however agree with keeping things close to the spec.
So I really don't know what to do about this one, as my brain is fighting itself here.
Update 2024-03-06
Done as nothing to do.