search

w3c / webauthn

Web Authentication: An API for accessing Public Key Credentials
https://w3c.github.io/webauthn/
Other
1.18k stars 171 forks source link

CTAP-speaking authenticators use integer-valued CBOR map keys #864

Closed equalsJeffH closed 6 years ago

equalsJeffH commented 6 years ago

I.e., the use of integer keys in CTAP (cf. Section 6.2 Responses, in latest working draft) for (especially, and at least) authenticatorMakeCredential_Response, has an impedance mismatch with WebAuthn 6.3.4. Generating an Attestation Object, see also WebAuthn figure 3. Once the publicly-published CTAP spec is updated such that it is referencable, we ought to add appropriate Note(s) to webauthn calling this out.

equalsJeffH commented 6 years ago

we decided (when? call last week?) that we are going to live with this, yes?

selfissued commented 6 years ago

There was agreement on the 2-May-18 call that we are not going to change from using the existing integer-valued keys in CTAP. I do agree that we could add documentation to WebAuthn about the key mappings once RD4 is public.

equalsJeffH commented 6 years ago

will do a editorial wrt I do agree that we could add documentation to WebAuthn about the key mappings once RD4 is public.

equalsJeffH commented 6 years ago

[ CTAP RD4 = fido-client-to-authenticator-protocol-v2.0-id-20180227.html ]

I've looked into this issue some and am thinking that we ought to not, in the webauthn spec, go into details regarding the differences between it and CTAP. This is because the differences are apparently greater than CTAP's use is "integer keys" (as opposed to webauthn's "string keys" (in CBOR-encoded data)). For example, CTAP's #authenticatorGetAssertion also returns objects where webauthn returns a single value: the returned values for credential and user and then has commentary describing the platform's behavior: e.g., prompting the user or not and what portion(s) of the data is returned back to the webauthn layer.

https://w3c.github.io/webauthn/#sctn-authenticator-model already notes that it describes an "abstract function model". Perhaps it is appropriate to add a Note after the 2nd parag therein saying something along the lines of:

Note: [[FIDO-CTAP]] is an example of a concrete instantiation of this model, but it is one in which there are differences in the \data it returns\ and those expected by the [[#api|WebAuthn API]]'s algorithms. The client platform is expected to perform any needed transformations on such data. The [[FIDO-CTAP]] specification details the necessary transformations.

WDYT?