Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Remove TokenBinding #1630

Merged
merged 4 commits into from
Jul 28, 2021
Merged

Remove TokenBinding #1630

Changes from 1 commit
Commits
Show all changes
4 commits
Select commit Hold shift + click to select a range
5c4ce34
Remove References to TokenBinding
Jun 17, 2021
af06076
Revert "Remove References to TokenBinding"
Jul 13, 2021
5609bb0
update for feedback
Jul 13, 2021
0ac8be0
update wording
Jul 15, 2021
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
58 changes: 1 addition & 57 deletions index.bs
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -176,12 +176,6 @@ spec: url; urlPrefix: https://url.spec.whatwg.org
text: scheme; url: concept-url-scheme
text: port; url: concept-url-port


spec: TokenBinding; urlPrefix: https://tools.ietf.org/html/rfc8471#
type: dfn
text: Token Binding; url: section-1
text: Token Binding ID; url: section-3.2

spec: credential-management-1; urlPrefix: https://w3c.github.io/webappsec-credential-management/
type: dictionary
text: CredentialCreationOptions; url: dictdef-credentialcreationoptions
Expand Down Expand Up @@ -1603,8 +1597,6 @@ a numbered step. If outdented, it (today) is rendered as a bullet in the midst o
:: The inverse of the value of the
{{PublicKeyCredential/[[Create]](origin, options, sameOriginWithAncestors)/sameOriginWithAncestors}}
argument passed to this [=internal method=].
: {{CollectedClientData/tokenBinding}}
:: The status of [=Token Binding=] between the client and the |callerOrigin|, as well as the [=Token Binding ID=] associated with |callerOrigin|, if one is available.

1. Let |clientDataJSON| be the [=JSON-compatible serialization of client data=] constructed from |collectedClientData|.

Expand Down Expand Up @@ -2031,9 +2023,7 @@ When this method is invoked, the user agent MUST execute the following algorithm
: {{CollectedClientData/crossOrigin}}
:: The inverse of the value of the
{{PublicKeyCredential/[[DiscoverFromExternalSource]](origin, options, sameOriginWithAncestors)/sameOriginWithAncestors}}
argument passed to this [=internal method=].
: {{CollectedClientData/tokenBinding}}
:: The status of [=Token Binding=] between the client and the |callerOrigin|, as well as the [=Token Binding ID=] associated with |callerOrigin|, if one is available.
argument passed to this [=internal method=].

1. Let |clientDataJSON| be the [=JSON-compatible serialization of client data=] constructed from |collectedClientData|.

Expand Down Expand Up @@ -2951,15 +2941,7 @@ Note: The {{CollectedClientData}} may be extended in the future. Therefore it's
required DOMString challenge;
required DOMString origin;
boolean crossOrigin;
TokenBinding tokenBinding;
};

dictionary TokenBinding {
required DOMString status;
DOMString id;
};

enum TokenBindingStatus { "present", "supported" };
</xmp>

<div dfn-type="dict-member" dfn-for="CollectedClientData">
Expand All @@ -2980,32 +2962,6 @@ Note: The {{CollectedClientData}} may be extended in the future. Therefore it's
:: This member contains the inverse of the `sameOriginWithAncestors` argument value
that was passed into the [=internal method=].

: <dfn>tokenBinding</dfn>
:: This OPTIONAL member contains information about the state of the [=Token Binding=] protocol [[!TokenBinding]] used when communicating
with the [=[RP]=]. Its absence indicates that the client doesn't support token binding.

<div dfn-type="dict-member" dfn-for="TokenBinding">
: <dfn>status</dfn>
:: This member SHOULD be a member of {{TokenBindingStatus}} but [=client platforms=] MUST ignore unknown values, treating an unknown value as if the {{CollectedClientData/tokenBinding}} [=map/exist|member does not exist=]. When known, this member is one of the following:

<div dfn-type="enum-value" dfn-for="TokenBindingStatus">
: <dfn>supported</dfn>
:: Indicates the client supports token binding, but it was not negotiated when communicating with the [=[RP]=].

: <dfn>present</dfn>
:: Indicates token binding was used when communicating with the [=[RP]=]. In this case, the
{{TokenBinding/id}} member MUST be present.
</div>

Note: The {{TokenBindingStatus}} enumeration is deliberately not referenced, see [[#sct-domstring-backwards-compatibility]].

: <dfn>id</dfn>
:: This member MUST be present if {{TokenBinding/status}} is {{TokenBindingStatus/present}}, and MUST be a [=base64url
encoding=] of the [=Token Binding ID=] that was used when communicating with the [=[RP]=].
</div>

Note: Obtaining a [=Token Binding ID=] is a [=client platform=]-specific operation.

The {{CollectedClientData}} structure is used by the client to compute the following quantities:

: <dfn dfn>JSON-compatible serialization of client data</dfn>
Expand Down Expand Up @@ -4382,8 +4338,6 @@ In order to perform a [=registration ceremony=], the [=[RP]=] MUST proceed as fo

1. Verify that the value of <code>|C|.{{CollectedClientData/origin}}</code> matches the [=[RP]=]'s [=origin=].

1. Verify that the value of <code>|C|.{{CollectedClientData/tokenBinding}}.{{TokenBinding/status}}</code> matches the state of [=Token Binding=] for the TLS connection over which the [=assertion=] was obtained. If [=Token Binding=] was used on that TLS connection, also verify that <code>|C|.{{CollectedClientData/tokenBinding}}.{{TokenBinding/id}}</code> matches the [=base64url encoding=] of the [=Token Binding ID=] for the connection.

1. Let |hash| be the result of computing a hash over <code>|response|.{{AuthenticatorResponse/clientDataJSON}}</code> using SHA-256.

1. Perform CBOR decoding on the {{AuthenticatorAttestationResponse/attestationObject}} field of the
Expand Down Expand Up @@ -4543,8 +4497,6 @@ In order to perform an [=authentication ceremony=], the [=[RP]=] MUST proceed as

1. Verify that the value of <code>|C|.{{CollectedClientData/origin}}</code> matches the [=[RP]=]'s [=origin=].

1. Verify that the value of <code>|C|.{{CollectedClientData/tokenBinding}}.{{TokenBinding/status}}</code> matches the state of [=Token Binding=] for the TLS connection over which the attestation was obtained. If [=Token Binding=] was used on that TLS connection, also verify that <code>|C|.{{CollectedClientData/tokenBinding}}.{{TokenBinding/id}}</code> matches the [=base64url encoding=] of the [=Token Binding ID=] for the connection.

<!-- Note: this next step is actually a top-level step, but bikeshed wanted it indented this much in order to render it as
a numbered step. If outdented, it (today) is rendered as a bullet in the midst of a numbered list :-/
-->
Expand Down Expand Up @@ -7111,14 +7063,6 @@ for their contributions as our W3C Team Contacts.
"date": "15 December 2012"
},

"TokenBinding": {
"authors": ["A. Popov", "M. Nystroem", "D. Balfanz", "J. Hodges"],
"title": "The Token Binding Protocol Version 1.0",
"href": "https://tools.ietf.org/html/rfc8471",
"status": "IETF Proposed Standard",
"date": "October, 2018"
},

"EduPersonObjectClassSpec": {
"publisher": ["Internet2 Middleware Architecture Committee for Education, Directory Working Group (MACE-Dir)"],
"title": "EduPerson Object Class Specification (200604a)",
Expand Down