Only exclude CredIDs matching the RPID #651
Conversation
Only credentials in the exclude credentials list that match this RPID should result in a not allowed error.
|
|
|
|
|
Scratch that, I'll leave this to the requested reviewers instead. :) |
index.bs
Outdated
| 1. Check if a credential matching an [=list/item=] of |excludeCredentialDescriptorList| is present on this authenticator. If | ||
| so, return an error code equivalent to "{{NotAllowedError}}" and terminate the operation. | ||
| 1. Check if a credential matching an [=list/item=] of |excludeCredentialDescriptorList| is present on this authenticator for | ||
| the supplied |rpId|. If so, return an error code equivalent to "{{NotAllowedError}}" and terminate the operation. |
There was a problem hiding this comment.
Wel, I am not a native English speaker :),
There was a problem hiding this comment.
No worries -- is there a submitted issue corresponding to this PR ? if not please submit one, and I can/will address in pr #498
There was a problem hiding this comment.
Ok, I submitted issue #654 for this.
There was a problem hiding this comment.
It has to be rpEntity.id. Apart from that it looks fine to me.
|
I disagree with adding this into the algorithm steps, as it implies checking the There should be a correspondence between a Credential ID and an RP ID, but it has to be managed by the authenticator. Some authenticators might use business logic here ("I made this CredID for X.Y, but this is for Z.Y, nope!"), some might use cryptography to mix the RP ID into the Credential ID's byte array. That's an implementation detail. IMO this should go into the security considerations section instead. Maybe something to the effect of: |
|
Apologies, I misunderstood which section this was actually being placed into -- this does make sense for the authenticator's makeCredential algorithm. I'll properly review. |
|
Marked as non substantive for IPR from ash-nazg. |
index.bs
Outdated
| 1. Check if a credential matching an [=list/item=] of |excludeCredentialDescriptorList| is present on this authenticator. If | ||
| so, return an error code equivalent to "{{NotAllowedError}}" and terminate the operation. | ||
| 1. Check if a credential matching an [=list/item=] of |excludeCredentialDescriptorList| is present on this authenticator for | ||
| the supplied |rpId|. If so, return an error code equivalent to "{{NotAllowedError}}" and terminate the operation. |
There was a problem hiding this comment.
It has to be rpEntity.id. Apart from that it looks fine to me.
index.bs
Outdated
| so, return an error code equivalent to "{{NotAllowedError}}" and terminate the operation. | ||
| 1. Check if a credential matching an [=list/item=] of |excludeCredentialDescriptorList| is present on this authenticator for | ||
| the supplied <code>|rpEntity|.{{PublicKeyCredentialRpEntity/id}}</code>. If so, return an error code equivalent to | ||
| "{{NotAllowedError}}" and terminate the operation. |
There was a problem hiding this comment.
this step, where we are matching creds bound to an authnr to credDescriptors, is similar to step 16.2 in section #discover-from-external-source. Note that the latter step matches on rpId, credential ID, and cred type.
Should not this authenticatorMakeCredential step similarly match on the same items?
e.g.:
1. Check if a credential matching an [=list/item=] of |excludeCredentialDescriptorList| is bound to this authenticator by matching with <code>|rpEntity|.{{PublicKeyCredentialRpEntity/id}}</code>, <code>|excludeCredentialDescriptorList|.{{PublicKeyCredentialDescriptor/id}}</code>, and <code>|excludeCredentialDescriptorList|.{{PublicKeyCredentialDescriptor/type}}</code>. If so, return an error code equivalent to "{{NotAllowedError}}" and terminate the operation.
There was a problem hiding this comment.
I believe that is inherent in checking [=list/item] but the check for the rpID is not. It perfectly possible that an item is present on the authenticator but for a different rpID while if ID and type are invalid, this cannot be a credential on this authenticator.
There was a problem hiding this comment.
It seems you @jovasco are saying that we do not need to be explicit regarding the definition of "matching" in this context. However, the present language in step 16.2 in section #discover-from-external-source is the result of addressing issue #280. I would not be surprised to have a similar issue raised here down the road if we are not explicit. Is there any harm/errors with the proposed language above?
There was a problem hiding this comment.
@equalsJeffH Alright, if we do this, we better do it right:
- Check if a credential matching an
[=list/item=]of|excludeCredentialDescriptorList|is bound to this authenticator with the following procedure:- verify that the
|excludeCredentialDescriptorList|.{{PublicKeyCredentialDescriptor/id}}was generated by this Authenticator. - verify that the
|excludeCredentialDescriptorList|.{{PublicKeyCredentialDescriptor/type}}matches the|excludeCredentialDescriptorList|.{{PublicKeyCredentialDescriptor/id}} - verify that
|rpEntity|.{{PublicKeyCredentialRpEntity/id}}is identical to the one used to create the|excludeCredentialDescriptorList|.{{PublicKeyCredentialDescriptor/id}}.
- verify that the
If all of these check succeed, return an error code equivalent to "{{NotAllowedError}}" and terminate the operation.
If you agree I will update the pull request for both make crednetial and getassertion.
There was a problem hiding this comment.
@jovasco proposed:
- Check if a credential matching an
[=list/item=]of|excludeCredentialDescriptorList|is bound to this authenticator with the following procedure:
hm, I think i see whay you are getting at -- i.e., being even more explicit -- though, this does not seem correct to me...in the above, do you mean to also say "...for each item of |excludeCredentialDescriptorList| ?
i. verify that the <code>|excludeCredentialDescriptorList|. {{PublicKeyCredentialDescriptor/id}}</code> was generated by this Authenticator.
in the above, "generated by this authnr" is not what we are looking for. Rather, we are trying to ascertain whether there exists a cred bound to this authnr having a credential ID matching |excludeCredentialDescriptorList|.{{PublicKeyCredentialDescriptor/id}}.
ii. verify that the <code>|excludeCredentialDescriptorList|. {{PublicKeyCredentialDescriptor/type}}</code> matches the <code>|excludeCredentialDescriptorList|.{{PublicKeyCredentialDescriptor/id}}</code>
in the above, do you mean to say something like "if there exists a cred bound to this authnr whose {{PublicKeyCredentialDescriptor/type}} value matches |excludeCredentialDescriptorList|.{{PublicKeyCredentialDescriptor/type}} ?
iii. verify that <code>|rpEntity|.{{PublicKeyCredentialRpEntity/id}}</code> is identical to the one used to create the <code>|excludeCredentialDescriptorList|. {{PublicKeyCredentialDescriptor/id}}</code>.
in the above, do you mean to say something like "if there exists a cred bound to this authnr whose RP ID matches |excludeCredentialDescriptorList|.{{PublicKeyCredentialDescriptor/id}}" ?
Perhaps the below works ?
3. Check if any credential, bound to this authenticator and matching an [=list/item=] of |excludeCredentialDescriptorList|, exists. A match occurs if a credential matches all of an |excludeCredentialDescriptorList| item's <code>|rpEntity|. {{PublicKeyCredentialRpEntity/id}}</code>, <code>|excludeCredentialDescriptorList|. {{PublicKeyCredentialDescriptor/id}}</code>, and <code>|excludeCredentialDescriptorList|.{{PublicKeyCredentialDescriptor/type}}</code>. If so, return an error code equivalent to "{{NotAllowedError}}" and terminate the operation.
There was a problem hiding this comment.
@equalsJeffH I modified it slightly. rpId is not part of the exclude list item and I found the language a bit tortured.
|
review of this is here: #651 (review) |
|
Do we similarly need to refine step 3 of the authenticatorGetAssertion operation (#op-get-assertion)? |
|
@equalsJeffH Yes, we do. |
|
@equalsJeffH Yes. |
|
Fixed. |
|
@akshayku Have you reviewed the changes yet as we would like to merge this |
|
i still have a question here: #651 (comment) |
|
reply to @jovasco here: #651 (comment) |
|
I'm willing to take over this PR to resolve @equalsJeffH 's comments if @jovasco does not have time to do it this week. I can do it on Friday, 3 Nov. |
Also added a reference to the list item back in the correct place.
|
thanks, this looks good to me. |
Only credentials in the exclude credentials list that match this RPID should result in a not allowed error.
Preview | Diff