Fix #622: Clarify PublicKeyCredentialEntity name descriptions #666
Conversation
This resolves w3c#622. This also changes some display name examples to include non-ASCII characters.
|
Why SHOULD for the name uniqueness? Isn't that supposed to be the login name? |
|
Do you mean "why SHOULD and not MUST"? If so: yes, it'll probably be the login name in most cases, but there's no reason to require (nor a way to enforce) that the RP uses it for that. As I understand it the intended use for it is primarily as a recognizable identifier to help the user choose a credential when an authenticator contains multiple first factor credentials with the same |
|
I mean, the |
|
In case of list selection, the (user.name, user.displayName) pair needs to be unique because user.id is not displayable. It seems more logical to require user.name to be unique. Do you see a downside to that requirement? |
|
First of all, there's no way to enforce such a requirement - all that would happen by ignoring it would be that one's own users would be confused. Second, it only really needs to be unique between the accounts owned by that user, and reviewing it now after my previous comments made me realize the uniqueness requirement really doesn't matter since the RP won't see the |
|
Now we are back to two different names which are both only intended for display... |
|
Yes, as far as I can tell that is their only function - please correct me if I'm wrong. However we decided not to make any breaking changes to this this close to CR (see #646), so we're stuck with these fields for now. |
|
Changes look good to me. |
|
@rlin1 Which "id" field? |
|
both, similar to the existing description of name, e.g. "When inherited by {{PublicKeyCredentialRpEntity}} it is a human-friendly identifier for the [=[RP]=]" |
|
They both link to the definitions of the RP ID and user handle, respectively. Do you want me to duplicate their descriptions? |
|
Good point. Only user.id: I mean id in https://www.w3.org/TR/webauthn/#dom-publickeycredentialentity-id Where RP ID is clear (IMHO), the id in the case of the user entity needs clarification (i.e. purely RP internal use or so). |
|
Sorry, I don't understand what you mean. The |
|
@rlin1 Are we ready to merge? |
index.bs
Outdated
| name member's value to a length equal to or greater than 64 bytes. | ||
| :: A human-readable identifier for the entity. Its function depends on what the {{PublicKeyCredentialEntity}} represents: | ||
|
|
||
| - When inherited by {{PublicKeyCredentialRpEntity}} it is a human-friendly identifier for the [=[RP]=], intended only |
index.bs
Outdated
| - When inherited by {{PublicKeyCredentialRpEntity}} it is a human-friendly identifier for the [=[RP]=], intended only | ||
| for display. For example, "ACME Corporation", "Wonderful Widgets, Inc." or "Awesome Site". | ||
| - When inherited by {{PublicKeyCredentialUserEntity}}, it is a human-readable identifier for a user account. It is | ||
| intended only for display, and SHOULD allow the user to easily tell the difference between user accounts with similar |
There was a problem hiding this comment.
well, when inherited by {{PublicKeyCredentialUserEntity}}, an RP MAY use the name member's value to store an account identifier (aka a username), yes?
I'm thinking we should add a Note: wrt an RP's options when employing PublicKeyCredentialUserEntity.id and PublicKeyCredentialUserEntity.name.
There was a problem hiding this comment.
I'm not sure what you mean by your first paragraph. The member is required and won't be passed back to the RP, only (optionally) stored by the authenticator. The RP MAY use name for a username, yes, MUST use it, and SHOULD NOT use it for anything too functionally different from a conventional username.
|
Looks good to me. |
There was a problem hiding this comment.
This overall looks good, thanks @emlun !
I do have some detail-level suggestions to discuss below, though. HTH.
index.bs
Outdated
| for display. For example, "ACME Corporation", "Wonderful Widgets, Inc." or "Awesome Site". | ||
| - When inherited by {{PublicKeyCredentialUserEntity}}, it is a human-readable identifier for a user account. It is | ||
| intended only for display, and SHOULD allow the user to easily tell the difference between user accounts with similar | ||
| {{PublicKeyCredentialUserEntity/displayName}}s. For example, "alexm", [email protected]" or "+14255551234". The |
There was a problem hiding this comment.
s/, alex.p.mueller/, "alex.p.mueller/
| user's name. This identifier is intended for display. [=Authenticators=] MUST accept and store a 64 byte minimum length | ||
| for a name members's value. Authenticators MAY truncate a | ||
| name member's value to a length equal to or greater than 64 bytes. | ||
| :: A human-readable name for the entity. Its function depends on what the {{PublicKeyCredentialEntity}} represents: |
There was a problem hiding this comment.
I would s/-readable/-palatable/. And add this note:
"Note: An identifier that is human-palatable is intended to be rememberable and reproducible by typical human users, in contrast to identifiers that are, for example, randomly generated sequences of bits."
c.f. https://www.internet2.edu/media/medialibrary/2013/09/04/internet2-mace-dir-eduperson-200604.html
There was a problem hiding this comment.
Sounds good. I'll change to "palatable" in the ...UserEntity bullet point, but leave the top one as "readable" since that applies to both the User and Rp variants and Rp.name doesn't necessarily need to be reproducible. Does that sound good?
There was a problem hiding this comment.
What does copyright legalese say about flat-out copying that definition from the EduPerson spec? Should we reference the EduPerson spec for it?
There was a problem hiding this comment.
As per the 2017-12-13 WG call, this is fair use and attribution is good practice.
index.bs
Outdated
| - When inherited by {{PublicKeyCredentialUserEntity}}, it is a human-readable identifier for a user account. It is | ||
| intended only for display, and SHOULD allow the user to easily tell the difference between user accounts with similar | ||
| {{PublicKeyCredentialUserEntity/displayName}}s. For example, "alexm", [email protected]" or "+14255551234". The | ||
| [=[RP]=] SHOULD let the user choose this, and MAY restrict the choice as needed or appropriate. |
There was a problem hiding this comment.
I suggest: s/ [=[RP]=] SHOULD /=[RP]=] MAY / because this is really up to the RP's deployment context.
Also, after "appropriate.", I would add: "For example, an [=[RP]=] may choose to map human-palatable [=username=] account identifiers to {{PublicKeyCredentialUserEntity}}'s {{PublicKeyCredentialUserEntity/name}}."
..where [=username=] perhaps should link to https://html.spec.whatwg.org/#attr-fe-autocomplete-username (AFAICT, it seems to be the most appropriate place to link "username" to in the greater Web specs space, for our purposes here).
There was a problem hiding this comment.
Apparently, [=username=] already links to https://url.spec.whatwg.org/#concept-url-username . Should we change that?
There was a problem hiding this comment.
Should we change that?
yeah, none of the autolinks for "username" amongst whatwg/w3c specs seemed very satisfying to me, so i was thinking that the link to https://html.spec.whatwg.org/#attr-fe-autocomplete-username would be the most clear for readers in terms of implying that we mean username in the sense of "unique-for-this-rp user account name". Though, I suppose we could just define it as such ourselves.
index.bs
Outdated
| - When inherited by {{PublicKeyCredentialRpEntity}} it is a human-friendly identifier for the [=[RP]=], intended only | ||
| for display. For example, "ACME Corporation", "Wonderful Widgets, Inc." or "Awesome Site". | ||
| - When inherited by {{PublicKeyCredentialUserEntity}}, it is a human-readable identifier for a user account. It is | ||
| intended only for display, and SHOULD allow the user to easily tell the difference between user accounts with similar |
|
@equalsJeffH Changes made, please re-review! |
|
LGTM, thx @emlun ! |
|
|
||
| Its value's {{PublicKeyCredentialUserEntity/id}} member contains the [=user handle=] for the account, specified by the | ||
| [=[RP]=]. | ||
| Its value's {{PublicKeyCredentialEntity/name}}, {{PublicKeyCredentialUserEntity/displayName}} and |
There was a problem hiding this comment.
user's "name" and "displayName" are not required according to CTAP spec. Only user's "id" is required.
For very security conscious RPs, who don't want to store any user identifiable information on the FIDO device, they will only set "id" (which is supposed to be random bytes). There is no UI requirement for single account per RP case.
On FIDO device, RP's "id" and users "id" makes a unique combination to identify a credentials. Rest of the fields are helper details which are optional.
There was a problem hiding this comment.
For an authenticator with a display (or, for example, an authenticator app on a phone), needs this information to show a useful message. "Do you want to register at example.com with Alex P. Mueller?" is a lot more informative (and, I would argue, security conscious) than "Do you want to register?".
Storing this information on the authenticator is more privacy than security sensitive, especially considering that the device is already entrusted with the keys. Perhaps I am biased but I assume authenticator vendors are security and privacy conscious enough to encrypt this additional information. If not, don't buy their products.
For getAssertion, I am fine with making this optional. If the device needs the information, it can store it.
| @@ -1343,8 +1350,7 @@ optionally evidence of [=user consent=] to a specific transaction. | |||
| : <dfn>rp</dfn> | |||
| :: This member contains data about the [=[RP]=] responsible for the request. | |||
|
|
|||
| Its value's {{PublicKeyCredentialEntity/name}} member contains the friendly name of the [=[RP]=] (e.g. "Acme Corporation", | |||
| "Widgets, Inc.", or "Awesome Site". | |||
| Its value's {{PublicKeyCredentialEntity/name}} member is required. | |||
There was a problem hiding this comment.
RP's "name" is optional according to CTAP spec. See below comment.
|
@akshayku So should we make Technically, the empty string is a valid value for each of them... but that would of course be a rather ugly workaround. (Replying outside review thread for increased visibility) |
|
Yes, they should be optional. |
|
Would that cause problems for rendering UX for creating/picking credentials? I think especially |
|
There is no UX rendering problem as UX anyway has to deal with similar pattern via CTAP spec and It is RP's decision what user/RP information is wants to store on the FIDO device. If RP supports multiple accounts, it will set the "name" for distinguishing purpose. |
Just note that the RP always supports multiple accounts, because it doesn't know what device the credential will end up on and therefore cannot know whether that device contains (or will contain) a credential for another account. Other than that, I agree. I'll make the requested changes. |
|
By "multiple accounts", I meant "multiple accounts per RP on a FIDO device" RP does not have to always supports multiple accounts per RP case (its his choice). It can however choose to support multiple credential per account on its servers (again it is RP's choice and its the normal case). Even if RP does not know what device the credential will end up on, if it supports one account, the credential will be overwritten if the FIDO device has already been provisioned OR will be created if not already provisioned. In both the cases, no user information is required to be passed by the RP. |
|
What I mean is the RP doesn't know if the user is using the same authenticator for multiple separate accounts for that RP - for example, if a user has one work account and one private account, or if two people share an authenticator. U2F devices don't support this use case, but WebAuthn does. |
|
In normal scenarios, I agree that RP should be setting the name but that is its choice. User has one work account and one private account or two people share an authenticator: These are multiple accounts per RP case and yes, if RP supports it, it should set the name. For RP who don't want to support such scenario, like may be it is an bank/enterprise where they distribute the keys and may want to support only one account per RP, it may not want to set user information due to privacy reasons. |
|
There's still no way in the current spec for the bank to actually enforce that, though, only to make it inconvenient by not setting the account name. I might very well be bikeshedding here, since the RP can always just set an empty or bogus value, but I feel more inclined to take the user's side in this. I've changed my mind back to thinking |
|
We are extrapolating what RP's can and will do. Empty/Bogus value don't provide any value. Same can be said about displayName and making this required just make it confusing. Best is to stay consistent with CTAP spec. I don't see any reason departing from CTAP spec and I don't agree with making user.name as a required parameter. |
|
All right. Does @equalsJeffH object to making |
|
we ought not rush into making this breaking change. i will write longer thoughts on it tomorrow. |
|
Ah.. If it is breaking, lets not change them. |
|
It seems to me that @akshayku is raising a new issue (in #666 (comment) and #666 (review)) that is not per se related to the thrust of this PR. I suggest that we merge this PR as-is and @akshayku submit a new issue (if still desired). Note that we recently went through the exercise of aligning the webauthn IDL and the #createCredential/#getAssertion algorithms' language: PR #669, Issues #538, #537. The so-called "enforced single account per RP use case" (i.e., what @akshayku is calling "single account per RP case") seems to me a special case. IIUC, an RP wishes to not reveal values for |
This resolves #622. This also changes some display name examples to
include non-ASCII characters.
Preview | Diff