From 5c4ce3492ec48e5af77db387963db5d5082f1233 Mon Sep 17 00:00:00 2001 From: nicksteele Date: Thu, 17 Jun 2021 15:44:21 -0400 Subject: [PATCH 1/4] Remove References to TokenBinding --- index.bs | 58 +------------------------------------------------------- 1 file changed, 1 insertion(+), 57 deletions(-) diff --git a/index.bs b/index.bs index 56ff05ab5..6bca4e1b1 100644 --- a/index.bs +++ b/index.bs @@ -176,12 +176,6 @@ spec: url; urlPrefix: https://url.spec.whatwg.org text: scheme; url: concept-url-scheme text: port; url: concept-url-port - -spec: TokenBinding; urlPrefix: https://tools.ietf.org/html/rfc8471# - type: dfn - text: Token Binding; url: section-1 - text: Token Binding ID; url: section-3.2 - spec: credential-management-1; urlPrefix: https://w3c.github.io/webappsec-credential-management/ type: dictionary text: CredentialCreationOptions; url: dictdef-credentialcreationoptions @@ -1603,8 +1597,6 @@ a numbered step. If outdented, it (today) is rendered as a bullet in the midst o :: The inverse of the value of the {{PublicKeyCredential/[[Create]](origin, options, sameOriginWithAncestors)/sameOriginWithAncestors}} argument passed to this [=internal method=]. - : {{CollectedClientData/tokenBinding}} - :: The status of [=Token Binding=] between the client and the |callerOrigin|, as well as the [=Token Binding ID=] associated with |callerOrigin|, if one is available. 1. Let |clientDataJSON| be the [=JSON-compatible serialization of client data=] constructed from |collectedClientData|. @@ -2031,9 +2023,7 @@ When this method is invoked, the user agent MUST execute the following algorithm : {{CollectedClientData/crossOrigin}} :: The inverse of the value of the {{PublicKeyCredential/[[DiscoverFromExternalSource]](origin, options, sameOriginWithAncestors)/sameOriginWithAncestors}} - argument passed to this [=internal method=]. - : {{CollectedClientData/tokenBinding}} - :: The status of [=Token Binding=] between the client and the |callerOrigin|, as well as the [=Token Binding ID=] associated with |callerOrigin|, if one is available. + argument passed to this [=internal method=]. 1. Let |clientDataJSON| be the [=JSON-compatible serialization of client data=] constructed from |collectedClientData|. @@ -2951,15 +2941,7 @@ Note: The {{CollectedClientData}} may be extended in the future. Therefore it's required DOMString challenge; required DOMString origin; boolean crossOrigin; - TokenBinding tokenBinding; - }; - - dictionary TokenBinding { - required DOMString status; - DOMString id; }; - - enum TokenBindingStatus { "present", "supported" };
@@ -2980,32 +2962,6 @@ Note: The {{CollectedClientData}} may be extended in the future. Therefore it's :: This member contains the inverse of the `sameOriginWithAncestors` argument value that was passed into the [=internal method=]. - : tokenBinding - :: This OPTIONAL member contains information about the state of the [=Token Binding=] protocol [[!TokenBinding]] used when communicating - with the [=[RP]=]. Its absence indicates that the client doesn't support token binding. - -
- : status - :: This member SHOULD be a member of {{TokenBindingStatus}} but [=client platforms=] MUST ignore unknown values, treating an unknown value as if the {{CollectedClientData/tokenBinding}} [=map/exist|member does not exist=]. When known, this member is one of the following: - -
- : supported - :: Indicates the client supports token binding, but it was not negotiated when communicating with the [=[RP]=]. - - : present - :: Indicates token binding was used when communicating with the [=[RP]=]. In this case, the - {{TokenBinding/id}} member MUST be present. -
- - Note: The {{TokenBindingStatus}} enumeration is deliberately not referenced, see [[#sct-domstring-backwards-compatibility]]. - - : id - :: This member MUST be present if {{TokenBinding/status}} is {{TokenBindingStatus/present}}, and MUST be a [=base64url - encoding=] of the [=Token Binding ID=] that was used when communicating with the [=[RP]=]. -
- - Note: Obtaining a [=Token Binding ID=] is a [=client platform=]-specific operation. - The {{CollectedClientData}} structure is used by the client to compute the following quantities: : JSON-compatible serialization of client data @@ -4382,8 +4338,6 @@ In order to perform a [=registration ceremony=], the [=[RP]=] MUST proceed as fo 1. Verify that the value of |C|.{{CollectedClientData/origin}} matches the [=[RP]=]'s [=origin=]. -1. Verify that the value of |C|.{{CollectedClientData/tokenBinding}}.{{TokenBinding/status}} matches the state of [=Token Binding=] for the TLS connection over which the [=assertion=] was obtained. If [=Token Binding=] was used on that TLS connection, also verify that |C|.{{CollectedClientData/tokenBinding}}.{{TokenBinding/id}} matches the [=base64url encoding=] of the [=Token Binding ID=] for the connection. - 1. Let |hash| be the result of computing a hash over |response|.{{AuthenticatorResponse/clientDataJSON}} using SHA-256. 1. Perform CBOR decoding on the {{AuthenticatorAttestationResponse/attestationObject}} field of the @@ -4543,8 +4497,6 @@ In order to perform an [=authentication ceremony=], the [=[RP]=] MUST proceed as 1. Verify that the value of |C|.{{CollectedClientData/origin}} matches the [=[RP]=]'s [=origin=]. -1. Verify that the value of |C|.{{CollectedClientData/tokenBinding}}.{{TokenBinding/status}} matches the state of [=Token Binding=] for the TLS connection over which the attestation was obtained. If [=Token Binding=] was used on that TLS connection, also verify that |C|.{{CollectedClientData/tokenBinding}}.{{TokenBinding/id}} matches the [=base64url encoding=] of the [=Token Binding ID=] for the connection. - @@ -7111,14 +7063,6 @@ for their contributions as our W3C Team Contacts. "date": "15 December 2012" }, - "TokenBinding": { - "authors": ["A. Popov", "M. Nystroem", "D. Balfanz", "J. Hodges"], - "title": "The Token Binding Protocol Version 1.0", - "href": "https://tools.ietf.org/html/rfc8471", - "status": "IETF Proposed Standard", - "date": "October, 2018" - }, - "EduPersonObjectClassSpec": { "publisher": ["Internet2 Middleware Architecture Committee for Education, Directory Working Group (MACE-Dir)"], "title": "EduPerson Object Class Specification (200604a)", From af060767d98c3dbfc28bba1a1b0b536ad19ba97a Mon Sep 17 00:00:00 2001 From: nicksteele Date: Tue, 13 Jul 2021 11:08:17 -0400 Subject: [PATCH 2/4] Revert "Remove References to TokenBinding" This reverts commit 5c4ce3492ec48e5af77db387963db5d5082f1233. --- index.bs | 58 +++++++++++++++++++++++++++++++++++++++++++++++++++++++- 1 file changed, 57 insertions(+), 1 deletion(-) diff --git a/index.bs b/index.bs index 6bca4e1b1..56ff05ab5 100644 --- a/index.bs +++ b/index.bs @@ -176,6 +176,12 @@ spec: url; urlPrefix: https://url.spec.whatwg.org text: scheme; url: concept-url-scheme text: port; url: concept-url-port + +spec: TokenBinding; urlPrefix: https://tools.ietf.org/html/rfc8471# + type: dfn + text: Token Binding; url: section-1 + text: Token Binding ID; url: section-3.2 + spec: credential-management-1; urlPrefix: https://w3c.github.io/webappsec-credential-management/ type: dictionary text: CredentialCreationOptions; url: dictdef-credentialcreationoptions @@ -1597,6 +1603,8 @@ a numbered step. If outdented, it (today) is rendered as a bullet in the midst o :: The inverse of the value of the {{PublicKeyCredential/[[Create]](origin, options, sameOriginWithAncestors)/sameOriginWithAncestors}} argument passed to this [=internal method=]. + : {{CollectedClientData/tokenBinding}} + :: The status of [=Token Binding=] between the client and the |callerOrigin|, as well as the [=Token Binding ID=] associated with |callerOrigin|, if one is available. 1. Let |clientDataJSON| be the [=JSON-compatible serialization of client data=] constructed from |collectedClientData|. @@ -2023,7 +2031,9 @@ When this method is invoked, the user agent MUST execute the following algorithm : {{CollectedClientData/crossOrigin}} :: The inverse of the value of the {{PublicKeyCredential/[[DiscoverFromExternalSource]](origin, options, sameOriginWithAncestors)/sameOriginWithAncestors}} - argument passed to this [=internal method=]. + argument passed to this [=internal method=]. + : {{CollectedClientData/tokenBinding}} + :: The status of [=Token Binding=] between the client and the |callerOrigin|, as well as the [=Token Binding ID=] associated with |callerOrigin|, if one is available. 1. Let |clientDataJSON| be the [=JSON-compatible serialization of client data=] constructed from |collectedClientData|. @@ -2941,7 +2951,15 @@ Note: The {{CollectedClientData}} may be extended in the future. Therefore it's required DOMString challenge; required DOMString origin; boolean crossOrigin; + TokenBinding tokenBinding; + }; + + dictionary TokenBinding { + required DOMString status; + DOMString id; }; + + enum TokenBindingStatus { "present", "supported" };
@@ -2962,6 +2980,32 @@ Note: The {{CollectedClientData}} may be extended in the future. Therefore it's :: This member contains the inverse of the `sameOriginWithAncestors` argument value that was passed into the [=internal method=]. + : tokenBinding + :: This OPTIONAL member contains information about the state of the [=Token Binding=] protocol [[!TokenBinding]] used when communicating + with the [=[RP]=]. Its absence indicates that the client doesn't support token binding. + +
+ : status + :: This member SHOULD be a member of {{TokenBindingStatus}} but [=client platforms=] MUST ignore unknown values, treating an unknown value as if the {{CollectedClientData/tokenBinding}} [=map/exist|member does not exist=]. When known, this member is one of the following: + +
+ : supported + :: Indicates the client supports token binding, but it was not negotiated when communicating with the [=[RP]=]. + + : present + :: Indicates token binding was used when communicating with the [=[RP]=]. In this case, the + {{TokenBinding/id}} member MUST be present. +
+ + Note: The {{TokenBindingStatus}} enumeration is deliberately not referenced, see [[#sct-domstring-backwards-compatibility]]. + + : id + :: This member MUST be present if {{TokenBinding/status}} is {{TokenBindingStatus/present}}, and MUST be a [=base64url + encoding=] of the [=Token Binding ID=] that was used when communicating with the [=[RP]=]. +
+ + Note: Obtaining a [=Token Binding ID=] is a [=client platform=]-specific operation. + The {{CollectedClientData}} structure is used by the client to compute the following quantities: : JSON-compatible serialization of client data @@ -4338,6 +4382,8 @@ In order to perform a [=registration ceremony=], the [=[RP]=] MUST proceed as fo 1. Verify that the value of |C|.{{CollectedClientData/origin}} matches the [=[RP]=]'s [=origin=]. +1. Verify that the value of |C|.{{CollectedClientData/tokenBinding}}.{{TokenBinding/status}} matches the state of [=Token Binding=] for the TLS connection over which the [=assertion=] was obtained. If [=Token Binding=] was used on that TLS connection, also verify that |C|.{{CollectedClientData/tokenBinding}}.{{TokenBinding/id}} matches the [=base64url encoding=] of the [=Token Binding ID=] for the connection. + 1. Let |hash| be the result of computing a hash over |response|.{{AuthenticatorResponse/clientDataJSON}} using SHA-256. 1. Perform CBOR decoding on the {{AuthenticatorAttestationResponse/attestationObject}} field of the @@ -4497,6 +4543,8 @@ In order to perform an [=authentication ceremony=], the [=[RP]=] MUST proceed as 1. Verify that the value of |C|.{{CollectedClientData/origin}} matches the [=[RP]=]'s [=origin=]. +1. Verify that the value of |C|.{{CollectedClientData/tokenBinding}}.{{TokenBinding/status}} matches the state of [=Token Binding=] for the TLS connection over which the attestation was obtained. If [=Token Binding=] was used on that TLS connection, also verify that |C|.{{CollectedClientData/tokenBinding}}.{{TokenBinding/id}} matches the [=base64url encoding=] of the [=Token Binding ID=] for the connection. + @@ -7063,6 +7111,14 @@ for their contributions as our W3C Team Contacts. "date": "15 December 2012" }, + "TokenBinding": { + "authors": ["A. Popov", "M. Nystroem", "D. Balfanz", "J. Hodges"], + "title": "The Token Binding Protocol Version 1.0", + "href": "https://tools.ietf.org/html/rfc8471", + "status": "IETF Proposed Standard", + "date": "October, 2018" + }, + "EduPersonObjectClassSpec": { "publisher": ["Internet2 Middleware Architecture Committee for Education, Directory Working Group (MACE-Dir)"], "title": "EduPerson Object Class Specification (200604a)", From 5609bb07aee09078882f35c2c0f7b53bb15b3dc3 Mon Sep 17 00:00:00 2001 From: nicksteele Date: Tue, 13 Jul 2021 12:10:25 -0400 Subject: [PATCH 3/4] update for feedback --- index.bs | 17 +++++------------ 1 file changed, 5 insertions(+), 12 deletions(-) diff --git a/index.bs b/index.bs index 56ff05ab5..983b099ba 100644 --- a/index.bs +++ b/index.bs @@ -1603,8 +1603,6 @@ a numbered step. If outdented, it (today) is rendered as a bullet in the midst o :: The inverse of the value of the {{PublicKeyCredential/[[Create]](origin, options, sameOriginWithAncestors)/sameOriginWithAncestors}} argument passed to this [=internal method=]. - : {{CollectedClientData/tokenBinding}} - :: The status of [=Token Binding=] between the client and the |callerOrigin|, as well as the [=Token Binding ID=] associated with |callerOrigin|, if one is available. 1. Let |clientDataJSON| be the [=JSON-compatible serialization of client data=] constructed from |collectedClientData|. @@ -2032,8 +2030,6 @@ When this method is invoked, the user agent MUST execute the following algorithm :: The inverse of the value of the {{PublicKeyCredential/[[DiscoverFromExternalSource]](origin, options, sameOriginWithAncestors)/sameOriginWithAncestors}} argument passed to this [=internal method=]. - : {{CollectedClientData/tokenBinding}} - :: The status of [=Token Binding=] between the client and the |callerOrigin|, as well as the [=Token Binding ID=] associated with |callerOrigin|, if one is available. 1. Let |clientDataJSON| be the [=JSON-compatible serialization of client data=] constructed from |collectedClientData|. @@ -2950,8 +2946,7 @@ Note: The {{CollectedClientData}} may be extended in the future. Therefore it's required DOMString type; required DOMString challenge; required DOMString origin; - boolean crossOrigin; - TokenBinding tokenBinding; + boolean crossOrigin; }; dictionary TokenBinding { @@ -2980,9 +2975,11 @@ Note: The {{CollectedClientData}} may be extended in the future. Therefore it's :: This member contains the inverse of the `sameOriginWithAncestors` argument value that was passed into the [=internal method=]. - : tokenBinding + : \[RESERVED] tokenBinding :: This OPTIONAL member contains information about the state of the [=Token Binding=] protocol [[!TokenBinding]] used when communicating - with the [=[RP]=]. Its absence indicates that the client doesn't support token binding. + with the [=[RP]=]. Its absence indicates that the client doesn't support token binding + + Note: While [=Token Binding=] was present in Level 1 and Level 2 of WebAuthn, it should not be expected to be present or supported in future versions of the specification.
: status @@ -4382,8 +4379,6 @@ In order to perform a [=registration ceremony=], the [=[RP]=] MUST proceed as fo 1. Verify that the value of |C|.{{CollectedClientData/origin}} matches the [=[RP]=]'s [=origin=]. -1. Verify that the value of |C|.{{CollectedClientData/tokenBinding}}.{{TokenBinding/status}} matches the state of [=Token Binding=] for the TLS connection over which the [=assertion=] was obtained. If [=Token Binding=] was used on that TLS connection, also verify that |C|.{{CollectedClientData/tokenBinding}}.{{TokenBinding/id}} matches the [=base64url encoding=] of the [=Token Binding ID=] for the connection. - 1. Let |hash| be the result of computing a hash over |response|.{{AuthenticatorResponse/clientDataJSON}} using SHA-256. 1. Perform CBOR decoding on the {{AuthenticatorAttestationResponse/attestationObject}} field of the @@ -4543,8 +4538,6 @@ In order to perform an [=authentication ceremony=], the [=[RP]=] MUST proceed as 1. Verify that the value of |C|.{{CollectedClientData/origin}} matches the [=[RP]=]'s [=origin=]. -1. Verify that the value of |C|.{{CollectedClientData/tokenBinding}}.{{TokenBinding/status}} matches the state of [=Token Binding=] for the TLS connection over which the attestation was obtained. If [=Token Binding=] was used on that TLS connection, also verify that |C|.{{CollectedClientData/tokenBinding}}.{{TokenBinding/id}} matches the [=base64url encoding=] of the [=Token Binding ID=] for the connection. - From 0ac8be043b5b576f837525506a2326247f3e99cb Mon Sep 17 00:00:00 2001 From: nicksteele Date: Thu, 15 Jul 2021 16:58:11 -0400 Subject: [PATCH 4/4] update wording --- index.bs | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/index.bs b/index.bs index 983b099ba..6a54e51df 100644 --- a/index.bs +++ b/index.bs @@ -2979,7 +2979,7 @@ Note: The {{CollectedClientData}} may be extended in the future. Therefore it's :: This OPTIONAL member contains information about the state of the [=Token Binding=] protocol [[!TokenBinding]] used when communicating with the [=[RP]=]. Its absence indicates that the client doesn't support token binding - Note: While [=Token Binding=] was present in Level 1 and Level 2 of WebAuthn, it should not be expected to be present or supported in future versions of the specification. + Note: While [=Token Binding=] was present in Level 1 and Level 2 of WebAuthn, its use is not expected in Level 3. The {{CollectedClientData/tokenBinding}} field is reserved so that it will not be reused for a different purpose.
: status