[webauthn] various issues with AppId extension from =JeffH via GitHub on 2017-06-07 (public-webauthn@w3.org from June 2017)

From: =JeffH via GitHub <sysbot+gh@w3.org>
Date: Wed, 07 Jun 2017 20:05:17 +0000
To: public-webauthn@w3.org
Message-ID: <issues.opened-234326357-1496865916-sysbot+gh@w3.org>

equalsJeffH has just created a new issue for https://github.com/w3c/webauthn:

== various issues with AppId extension ==
There are various issues with the AppId extension as presently written:

1.  why is [the appId extension](https://w3c.github.io/webauthn/#sctn-appid-extension) used only during [get()](https://w3c.github.io/webappsec-credential-management/#dom-credentialscontainer-get) (which in this case is impl'd by [PublicKeyCredential’s  \[\[DiscoverFromExternalSource\]\](options) method)](https://w3c.github.io/webauthn/#getAssertion)?  If browsers will initially be using U2F authenticators (authnrs) underneath WebAuthn, will they not need to pass an appId down to the authnr during [create()](https://w3c.github.io/webappsec-credential-management/#dom-credentialscontainer-create)  (which in this case is impl'd by [PublicKeyCredential’s \[\[Create\]\](options) method](https://w3c.github.io/webauthn/#createCredential)) ?  

    The description of the appid extension says:
    > This authentication extension allows Relying Parties that have previously registered a credential using the legacy FIDO JavaScript APIs to request an assertion.

     But if the initial authnrs are U2F, will they not also need to perform [registration](https://fidoalliance.org/specs/fido-u2f-v1.1-id-20160915/fido-u2f-raw-message-formats-v1.1-id-20160915.html#registration-messages)? 

2.  the rpId is not syntactically the same (at this time) as the appId. The RP ID is "a [valid domain string](https://url.spec.whatwg.org/#valid-domain-string)", while the appid is a [serialized origin](https://html.spec.whatwg.org/#ascii-serialisation-of-an-origin).  So one cannot simply overwrite the RP ID (at this time) with an appid.


3.  "client extension processing" references step 3 of [{#getAssertion}](https://w3c.github.io/webauthn/#getAssertion)   though I believe that is now step 7 of the latter alg. 


4.  "client extension processing" says in part:
    > Replace the calculation of rpId in [Step 7 of {#getAssertion}](https://w3c.github.io/webauthn/#GetAssn-DetermineRpId) with the following procedure: The client uses the value of appid to perform the AppId validation procedure (as defined by [FIDO-APPID]). If valid, the value of rpId for all client processing should be replaced by the value of appid. 

    But we cannot do simply that because of the syntactic differences between rpId and appid.


(off-the-cuff unvalidated) solution options:

S1.  alter RP ID syntax to be serialized origin

S2.  have appid extn add additional "appid" dictionary item to the options passed into both [[Create]](options) and [[DiscoverFromExternalSource]](options)


Please view or discuss this issue at https://github.com/w3c/webauthn/issues/491 using your GitHub account

Received on Wednesday, 7 June 2017 20:05:24 UTC