Fix #622: Clarify PublicKeyCredentialEntity name descriptions #666
There are no files selected for viewing
| Original file line number | Diff line number | Diff line change |
|---|---|---|
|
|
@@ -1211,8 +1211,7 @@ optionally evidence of [=user consent=] to a specific transaction. | |
| : <dfn>rp</dfn> | ||
| :: This member contains data about the [=[RP]=] responsible for the request. | ||
|
|
||
| Its value's {{PublicKeyCredentialEntity/name}} member is required. | ||
|
|
||
| Its value's {{PublicKeyCredentialRpEntity/id}} member specifies the [=relying party identifier=] with which the credential | ||
| should be associated. If omitted, its value will be the {{CredentialsContainer}} object's [=relevant | ||
|
|
@@ -1221,14 +1220,8 @@ optionally evidence of [=user consent=] to a specific transaction. | |
| : <dfn>user</dfn> | ||
| :: This member contains data about the user account for which the [=[RP]=] is requesting attestation. | ||
|
|
||
| Its value's {{PublicKeyCredentialEntity/name}}, {{PublicKeyCredentialUserEntity/displayName}} and | ||
|
There was a problem hiding this comment. user's "name" and "displayName" are not required according to CTAP spec. Only user's "id" is required. On FIDO device, RP's "id" and users "id" makes a unique combination to identify a credentials. Rest of the fields are helper details which are optional. There was a problem hiding this comment. For an authenticator with a display (or, for example, an authenticator app on a phone), needs this information to show a useful message. "Do you want to register at example.com with Alex P. Mueller?" is a lot more informative (and, I would argue, security conscious) than "Do you want to register?". Storing this information on the authenticator is more privacy than security sensitive, especially considering that the device is already entrusted with the keys. Perhaps I am biased but I assume authenticator vendors are security and privacy conscious enough to encrypt this additional information. If not, don't buy their products. For getAssertion, I am fine with making this optional. If the device needs the information, it can store it. |
||
| {{PublicKeyCredentialUserEntity/id}} members are required. | ||
|
|
||
| : <dfn>challenge</dfn> | ||
| :: This member contains a challenge intended to be used for generating the newly created credential's [=attestation | ||
|
|
@@ -1273,8 +1266,14 @@ associated. | |
| </xmp> | ||
| <div dfn-type="dict-member" dfn-for="PublicKeyCredentialEntity"> | ||
| : <dfn>name</dfn> | ||
| :: A human-readable identifier for the entity. Its function depends on what the {{PublicKeyCredentialEntity}} represents: | ||
|
|
||
| - When inherited by {{PublicKeyCredentialRpEntity}} it is a human-friendly identifier for the [=[RP]=], intended only | ||
|
|
||
| for display. For example, "ACME Corporation", "Wonderful Widgets, Inc." or "Awesome Site". | ||
| - When inherited by {{PublicKeyCredentialUserEntity}}, it is a human-readable identifier for a user account. It is | ||
| intended only for display, and SHOULD allow the user to easily tell the difference between user accounts with similar | ||
|
There was a problem hiding this comment. well, when inherited by {{PublicKeyCredentialUserEntity}}, an RP MAY use the I'm thinking we should add a Note: wrt an RP's options when employing There was a problem hiding this comment. I'm not sure what you mean by your first paragraph. The member is required and won't be passed back to the RP, only (optionally) stored by the authenticator. The RP MAY use |
||
| {{PublicKeyCredentialUserEntity/displayName}}s. For example, "[email protected]" or "+14255551234". The [=[RP]=] | ||
| SHOULD let the user choose this, and MAY restrict the choice as needed or appropriate. | ||
|
|
||
| : <dfn>icon</dfn> | ||
| :: A [=URL serializer|serialized=] URL which resolves to an image associated with the entity. For example, this could be | ||
|
|
@@ -1315,7 +1314,8 @@ credential. | |
| :: The [=user handle=] of the user account entity. | ||
|
|
||
| : <dfn>displayName</dfn> | ||
| :: A human-friendly name for the user account, intended only for display. For example, "Alex P. Müller" or "田中 倫". The | ||
| [=[RP]=] SHOULD let the user choose this, and SHOULD NOT restrict the choice more than necessary. | ||
| </div> | ||
|
|
||
|
|
||
|
|
@@ -3582,14 +3582,14 @@ The sample code for generating and registering a new key follows: | |
|
|
||
| // Relying Party: | ||
| rp: { | ||
| name: "ACME Corporation" | ||
| }, | ||
|
|
||
| // User: | ||
| user: { | ||
| id: Uint8Array.from(window.atob("MIIBkzCCATigAwIBAjCCAZMwggE4oAMCAQIwggGTMII="), c=>c.charCodeAt(0)), | ||
| name: "alex.p.mueller@example.com", | ||
| displayName: "Alex P. Müller", | ||
| icon: "https://pics.acme.com/00/p/aBjjjpqPb.png" | ||
| }, | ||
|
|
||
|
|
||
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
RP's "name" is optional according to CTAP spec. See below comment.