Merge pull request #1630 from w3c/remove-tokenbinding

Remove TokenBinding
w3c · Jul 28, 2021 · a30f8e8 · a30f8e8
2 parents 33b0215 + 0ac8be0
commit a30f8e8
Showing 1 changed file with 5 additions and 12 deletions.
diff --git a/index.bs b/index.bs
@@ -1608,8 +1608,6 @@ a numbered step. If outdented, it (today) is rendered as a bullet in the midst o
     :: The inverse of the value of the
         {{PublicKeyCredential/[[Create]](origin, options, sameOriginWithAncestors)/sameOriginWithAncestors}}
         argument passed to this [=internal method=].
-    : {{CollectedClientData/tokenBinding}}
-    :: The status of [=Token Binding=] between the client and the |callerOrigin|, as well as the [=Token Binding ID=] associated with |callerOrigin|, if one is available.
 
 1. Let |clientDataJSON| be the [=JSON-compatible serialization of client data=] constructed from |collectedClientData|.
 
@@ -2039,8 +2037,6 @@ When this method is invoked, the user agent MUST execute the following algorithm
     :: The inverse of the value of the
         {{PublicKeyCredential/[[DiscoverFromExternalSource]](origin, options, sameOriginWithAncestors)/sameOriginWithAncestors}}
         argument passed to this [=internal method=].
-    : {{CollectedClientData/tokenBinding}}
-    :: The status of [=Token Binding=] between the client and the |callerOrigin|, as well as the [=Token Binding ID=] associated with |callerOrigin|, if one is available.
 
 1. Let |clientDataJSON| be the [=JSON-compatible serialization of client data=] constructed from |collectedClientData|.
 
@@ -2963,8 +2959,7 @@ Note: The {{CollectedClientData}} may be extended in the future. Therefore it's
         required DOMString           type;
         required DOMString           challenge;
         required DOMString           origin;
-        boolean                      crossOrigin;
-        TokenBinding                 tokenBinding;
+        boolean                      crossOrigin;        
     };
 
     dictionary TokenBinding {
@@ -2993,9 +2988,11 @@ Note: The {{CollectedClientData}} may be extended in the future. Therefore it's
     ::  This member contains the inverse of the `sameOriginWithAncestors` argument value
         that was passed into the [=internal method=].
 
-    :   <dfn>tokenBinding</dfn>
+    :   \[RESERVED] <dfn>tokenBinding</dfn>        
     ::  This OPTIONAL member contains information about the state of the [=Token Binding=] protocol [[!TokenBinding]] used when communicating
-        with the [=[RP]=]. Its absence indicates that the client doesn't support token binding.
+        with the [=[RP]=]. Its absence indicates that the client doesn't support token binding
+
+        Note: While [=Token Binding=] was present in Level 1 and Level 2 of WebAuthn, its use is not expected in Level 3. The {{CollectedClientData/tokenBinding}} field is reserved so that it will not be reused for a different purpose.
 
         <div dfn-type="dict-member" dfn-for="TokenBinding">
             :   <dfn>status</dfn>
@@ -4429,8 +4426,6 @@ In order to perform a [=registration ceremony=], the [=[RP]=] MUST proceed as fo
 
 1. Verify that the value of <code>|C|.{{CollectedClientData/origin}}</code> matches the [=[RP]=]'s [=origin=].
 
-1. Verify that the value of <code>|C|.{{CollectedClientData/tokenBinding}}.{{TokenBinding/status}}</code> matches the state of [=Token Binding=] for the TLS connection over which the [=assertion=] was obtained. If [=Token Binding=] was used on that TLS connection, also verify that <code>|C|.{{CollectedClientData/tokenBinding}}.{{TokenBinding/id}}</code> matches the [=base64url encoding=] of the [=Token Binding ID=] for the connection.
-
 1. Let |hash| be the result of computing a hash over <code>|response|.{{AuthenticatorResponse/clientDataJSON}}</code> using SHA-256.
 
 1. Perform CBOR decoding on the {{AuthenticatorAttestationResponse/attestationObject}} field of the
@@ -4593,8 +4588,6 @@ In order to perform an [=authentication ceremony=], the [=[RP]=] MUST proceed as
 
 1. Verify that the value of <code>|C|.{{CollectedClientData/origin}}</code> matches the [=[RP]=]'s [=origin=].
 
-1. Verify that the value of <code>|C|.{{CollectedClientData/tokenBinding}}.{{TokenBinding/status}}</code> matches the state of [=Token Binding=] for the TLS connection over which the attestation was obtained. If [=Token Binding=] was used on that TLS connection, also verify that <code>|C|.{{CollectedClientData/tokenBinding}}.{{TokenBinding/id}}</code> matches the [=base64url encoding=] of the [=Token Binding ID=] for the connection.
-
 <!-- Note: this next step is actually a top-level step, but bikeshed wanted it indented this much in order to render it as
 a numbered step. If outdented, it (today) is rendered as a bullet in the midst of a numbered list :-/
 -->