Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Add [credential record/authenticatorDisplayName] handling to RP operations #2163

Merged
merged 3 commits into from
Oct 28, 2024
Merged
Changes from 2 commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
33 changes: 23 additions & 10 deletions index.bs
Original file line number Diff line number Diff line change
Expand Up @@ -1179,15 +1179,15 @@ BCP 14 [[!RFC2119]] [[!RFC8174]] when, and only when, they appear in all capital
enables the [=[RP]=] to re-verify the [=attestation signature=] at a later time.

: <dfn>authenticatorDisplayName</dfn>
:: A [=human palatability|human-palatable=] description of the [=public key credential source=].
:: A [=human-palatable=] description of the [=public key credential source=].

If used, the [=[RP]=] SHOULD use this to describe the [=credential record=] in the user's account settings.
The [=[RP]=] SHOULD allow the user to choose this value, and MAY allow the user to modify it at will.

The [=credProps|Credential Properties Extension=] defines the [=credential property=]
{{CredentialPropertiesOutput/authenticatorDisplayName}}
which, when available, MAY be offered as a default for this value.
The [=[RP]=] MAY also derive a default value from the authenticator's [=attestation statement=], if any.
The [=[RP]=] MAY alternatively derive a default value from the authenticator's [=attestation statement=], if any.
</dl>

[=WebAuthn extensions=] MAY define additional [=struct/items=] needed to process the extension.
Expand All @@ -1211,8 +1211,8 @@ BCP 14 [[!RFC2119]] [[!RFC8174]] when, and only when, they appear in all capital
for [=single-device credentials=]. For [=multi-device credentials=], the generating authenticator may or may not be the same as the
current [=managing authenticator=] participating in a given [=authentication=] operation.

: <dfn>Human Palatability</dfn>
:: An identifier that is [=human palatability|human-palatable=] is intended to be rememberable and reproducible by typical human
: <dfn lt="human palatability|human-palatable">Human Palatability</dfn>
:: An identifier that is [=human-palatable=] is intended to be rememberable and reproducible by typical human
users, in contrast to identifiers that are, for example, randomly generated sequences of bits [[EduPersonObjectClassSpec]].

: <dfn>Non-Discoverable Credential</dfn>
Expand Down Expand Up @@ -3591,9 +3591,9 @@ associated with or [=scoped=] to, respectively.
</xmp>
<div dfn-type="dict-member" dfn-for="PublicKeyCredentialEntity">
: <dfn>name</dfn>
:: A [=human palatability|human-palatable=] name for the entity. Its function depends on what the {{PublicKeyCredentialEntity}} represents:
:: A [=human-palatable=] name for the entity. Its function depends on what the {{PublicKeyCredentialEntity}} represents:

- When inherited by {{PublicKeyCredentialRpEntity}} it is a [=human palatability|human-palatable=] identifier for the [=[RP]=], intended only
- When inherited by {{PublicKeyCredentialRpEntity}} it is a [=human-palatable=] identifier for the [=[RP]=], intended only
for display. For example, "ACME Corporation", "Wonderful Widgets, Inc." or "ОАО Примертех".

- [=[RPS]=] SHOULD perform enforcement, as prescribed in Section 2.3 of
Expand All @@ -3608,7 +3608,7 @@ associated with or [=scoped=] to, respectively.
including the value as a parameter of the [=authenticatorMakeCredential=] operation.

- When inherited by {{PublicKeyCredentialUserEntity}}, it is a
[=human palatability|human-palatable=] identifier for a [=user account=]. This
[=human-palatable=] identifier for a [=user account=]. This
identifier is the primary value displayed to users by [=Clients=] to help users
understand with which [=user account=] a credential is associated.

Expand Down Expand Up @@ -3684,9 +3684,9 @@ credential.
with more than one [=user account=] at the [=[RP]=].

: <dfn>displayName</dfn>
:: A [=human palatability|human-palatable=] name for the [=user account=], intended only for
:: A [=human-palatable=] name for the [=user account=], intended only for
display. The [=[RP]=] SHOULD let the user choose this, and SHOULD NOT restrict the choice
more than necessary. If no suitable or [=human palatability|human-palatable=] name is
more than necessary. If no suitable or [=human-palatable=] name is
available, the [=[RP]=] SHOULD set this value to an empty string.

Examples of suitable values for this identifier include, "Alex Müller", "Alex Müller (ACME Co.)" or "田中倫".
Expand Down Expand Up @@ -6076,6 +6076,14 @@ a numbered step. If outdented, it (today) is rendered as a bullet in the midst o

: [$credential record/attestationClientDataJSON$]
:: <code>|response|.{{AuthenticatorResponse/clientDataJSON}}</code>.

: [$credential record/authenticatorDisplayName$]
:: A [=human-palatable=] description of the [=public key credential source=].
This SHOULD be chosen by the user.

If <code>|clientExtensionResults|.{{AuthenticationExtensionsClientOutputs/credProps}}.{{CredentialPropertiesOutput/authenticatorDisplayName}}</code> is present,
then its value MAY be offered as a default for this value.
The [=[RP]=] MAY alternatively derive a default value from the authenticator's [=attestation statement=], if any.
</dl>
</li>

Expand Down Expand Up @@ -6260,6 +6268,11 @@ a numbered step. If outdented, it (today) is rendered as a bullet in the midst o
update it to the value of the [=authData/flags/UV=] bit in the [=flags=] in |authData|.
This change SHOULD require authorization by an additional [=authentication factor=] equivalent to WebAuthn [=user verification=];
if not authorized, skip this step.
1. If <code>|credentialRecord|.[$credential record/authenticatorDisplayName$]</code> is used,
and <code>|clientExtensionResults|.{{AuthenticationExtensionsClientOutputs/credProps}}.{{CredentialPropertiesOutput/authenticatorDisplayName}}</code>
is present and not equal to <code>|credentialRecord|.[$credential record/authenticatorDisplayName$]</code>,
then OPTIONALLY offer the user to update <code>|credentialRecord|.[$credential record/authenticatorDisplayName$]</code>
to the value of <code>|clientExtensionResults|.{{AuthenticationExtensionsClientOutputs/credProps}}.{{CredentialPropertiesOutput/authenticatorDisplayName}}</code>.

If the [=[RP]=] performs additional security checks beyond these WebAuthn [=authentication ceremony=] steps,
the above state updates SHOULD be deferred to after those additional checks are completed successfully.
Expand Down Expand Up @@ -7372,7 +7385,7 @@ This [=client extension|client=] [=registration extension=] and [=authentication
Note: some [=authenticators=] create [=discoverable credentials=] even when not requested by the [=client platform=]. Because of this, [=client platforms=] may be forced to omit the {{rk}} property because they lack the assurance to be able to set it to [FALSE]. [=[RPS]=] should assume that, if the `credProps` extension is supported, then [=client platforms=] will endeavour to populate the {{rk}} property. Therefore a missing {{rk}} indicates that the created credential is most likely a [=non-discoverable credential=].

: <dfn>authenticatorDisplayName</dfn>
:: This OPTIONAL property is a [=human palatability|human-palatable=] description of the credential's [=managing authenticator=],
:: This OPTIONAL property is a [=human-palatable=] description of the credential's [=managing authenticator=],
chosen by the user.

The [=client=] MUST allow the user to choose this value.
Expand Down