Web Authentication: Large Blob extension

[nsatragno]

Salutations TAG!

I'm requesting a TAG review of the Web Authentication Large Blob extension.

The Web Authentication Large Blob extension allows relying parties to store small amounts of opaque data associated with a credential on an authenticator. This is useful for authentication schemes involving storing certificates on authenticators.

• Explainer
• Specification URL
• Tests (see large-blob files).
• User research: N/A
• Security and Privacy self-review
• GitHub repo (if you prefer feedback filed there): File feedback here
• Primary contacts (and their relationship to the specification):
  • Nina Satragno (@nsatragno), Google (implementing & launching the feature)
  • Adam Langley (@agl), Google (wrote the large blob spec)
• Organization(s)/project(s) driving the specification: Google/Chrome, Microsoft
• Key pieces of existing multi-stakeholder review or discussion of this specification:
  • PRs:
    • https://github.com/w3c/webauthn/pull/1402
• External status/issue trackers for this specification (publicly visible, e.g. Chrome Status):
  • https://chromestatus.com/feature/5657899357437952

Further details:

• [X] I have reviewed the TAG's Web Platform Design Principles
• Relevant time constraints or deadlines: N/A
• The group where the work on this specification is currently being done: WebAuthn WG
• The group where standardization of this work is intended to be done: WebAuthn WG
• Major unresolved issues with or opposition to this specification: None.
• This work is being funded by: Google, Microsoft (insofar as they have implemented the relevant APIs on Windows).

You should also know that...

This feature requires OS-level support for platforms where the OS handles WebAuthn requests (this is the case for Windows). Support on Windows has already shipped.

We'd prefer the TAG provide feedback as (please delete all but the desired option):

💬 leave review feedback as a comment in this issue and @-notify @nsatragno

[plinss]

@maxpassion and I took a look a this during our Tokyo F2F and we have some questions:

1) The explainer talks about a 'small amount of data', why is this called 'largeBlob'? 2) Why is it called a blob if it's reading and writing array buffers? The property name should be relevant to the data type, either make the API accept a Blob or use a name that doesn't imply Blobs. 3) What's the size limit of the data? If there any way for the RP to know what's available? 4) Is there expected to be a mechanism for the user to clear this data? (Independent of clearing the entire auth for the RP) Either via UA UI or a future API call?

[rhiaro]

hi @nsatragno, have you had any chance to look at the questions @plinss left a couple of months ago?

Also, do you have an update on the implementation status, and any multi-stakeholder support? We see that Webkit is tentatively supportive and prototyping an implementation. We'd love to hear of any changes or iterations or emerging issues as a result of working with other implementers. Thanks.

[nsatragno]

This slipped through my emails, sorry!

The explainer talks about a 'small amount of data', why is this called 'largeBlob'? Why is it called a blob if it's reading and writing array buffers? The property name should be relevant to the data type, either make the API accept a Blob or use a name that doesn't imply Blobs.

The name comes from CTAP. 1kb is "large" with respect to the available memory on security keys, and with respect to the older credBlob extension that supports 32 bytes. Array buffers are used to write and read binary data all through the webauthn spec.

What's the size limit of the data?

This depends on the authenticator, the specification does not state a maximum size.

If there any way for the RP to know what's available?

A relying party can set largeBlob's support to required (or preferred) to discover availability when creating a credential, but cannot query the available space on the authenticator.

Is there expected to be a mechanism for the user to clear this data? (Independent of clearing the entire auth for the RP) Either via UA UI or a future API call?

User agent management of authenticators is not specified by webauthn or CTAP, but the authenticator API endpoints to manage credentials (and large blobs) are. On some platforms, Chrome has the ability to delete credentials with an associated large blob which will clear the blob as well. Some authenticator vendors provide their own management software.

RPs can clear a large blob without deleting the credential by writing an empty blob.

Also, do you have an update on the implementation status, and any multi-stakeholder support?

It's shipped on Chrome 113 and Safari 17. The compression algorithm turned to be a subtle source of incompatibility, so if we could redesign the API we would probably change that.

At this time, the only improvement we are working on is support over the hybrid protocol. This will let websites create & retrieve large blobs for authenticators such as phones. This has no effect on the web API surface, but required a few changes on CTAP (not published yet, sorry).

[agl]

Also, do you have an update on the implementation status, and any multi-stakeholder support?

While we don't have any details about how Apple are using it, largeBlob support is required when signing into iCloud on a desktop machine with an iOS 17 device.

[plinss]

@nsatragno Thanks for the reply. We're closing this as satisfied. I personally think the naming is a bit unfortunate (and confusing with platform Blobs) but understand that it matches other usage and is too late to change.

[spencercap]

@nsatragno + others, thanks for your developments on this!

unfortunately I'm finding that Chrome (ver 117.0.5938.88) is NOT able to save a largeBlob in the glitch demo, but Safari 17 (desktop + iOS17) is able to save it successfully while running the same code.

I see these tests are passing... and what's strange is that extensions.largeBlob is defined (as in supported) but then the response keeps coming back as extensions.largeBlob.written == false when trying to write a largeBlob in Chrome. Is this a Chrome bug?

I'm testing with TouchID on macOS and FaceID on iOS.

[miketaylr]

Is this a Chrome bug?

crbug.com/new is a better place to discuss, rather than a closed TAG review. Thanks! 😃