From cacd06d3463ceebefdd8512ffdc28af24dc7b3ea Mon Sep 17 00:00:00 2001
From: Pascoe <pascoe@apple.com>
Date: Tue, 29 Aug 2023 16:18:31 -0700
Subject: [PATCH 01/18] Initial text for conditional create
---
index.bs | 72 ++++++++++++++++++++++++++++++++++++++++++++++++++++----
1 file changed, 67 insertions(+), 5 deletions(-)
diff --git a/index.bs b/index.bs
index 28eaedd3d..745795620 100644
--- a/index.bs
+++ b/index.bs
@@ -1726,8 +1726,14 @@ To support obtaining assertions via {{CredentialsContainer/get()|navigator.crede
{{PublicKeyCredential}}'s [=interface object=]'s implementation of the <dfn for="PublicKeyCredential" method>\[[Create]](origin,
options, sameOriginWithAncestors)</dfn> [=internal method=] [[!CREDENTIAL-MANAGEMENT-1]] allows
[=[WRP]=] scripts to call {{CredentialsContainer/create()|navigator.credentials.create()}} to request the creation of a new
-[=public key credential source=], [=bound credential|bound=] to an [=authenticator=]. This
-{{CredentialsContainer/create()|navigator.credentials.create()}} operation can be aborted by leveraging the {{AbortController}};
+[=public key credential source=], [=bound credential|bound=] to an [=authenticator=].
+
+By setting <code>|options|.{{CredentialRequestOptions/mediation}}</code> to {{CredentialMediationRequirement/conditional}},
+[=[RPS]=] can indicate that a prominent modal UI should <i>not</i> be shown <i>unless</i> the user has already consented to create a credential via the [=conditionalCreate|conditionalCreate extension=]). [=[RP]=] script SHOULD first check that [conditionalCreate] is present
+in {=ClientCapabilities=} in order to avoid the possibility of causing a user-visible error to be returned if the user agent does
+not support {{CredentialMediationRequirement/conditional}} [=user mediation=] for {{CredentialsContainer/create()|navigator.credentials.create()}}.
+
+This {{CredentialsContainer/create()|navigator.credentials.create()}} operation can be aborted by leveraging the {{AbortController}};
see [[dom#abortcontroller-api-integration]] for detailed instructions.
@@ -1766,6 +1772,11 @@ When this method is invoked, the user agent MUST execute the following algorithm
1. If <var ignore>sameOriginWithAncestors</var> is [FALSE]:
+ 1. If <code>|options|.{{CredentialRequestOptions/mediation}}</code> is present with the value
+ {{CredentialMediationRequirement/conditional}}:
+
+ 1. Throw a "{{NotAllowedError}}" {{DOMException}}
+
1. If the [=relevant global object=], as determined by the calling
{{CredentialsContainer/create()}} implementation, does not have
[=transient activation=]:
@@ -1903,6 +1914,13 @@ a numbered step. If outdented, it (today) is rendered as a bullet in the midst o
[=authenticators=] can be <a href="https://en.wikipedia.org/w/index.php?title=Hot_plug">hot-plugged</a> into (e.g., via USB)
or discovered (e.g., via NFC or Bluetooth) by the [=client=] by various mechanisms, or permanently built into the [=client=].
+1. If <code>|options|.{{CredentialRequestOptions/mediation}}</code> is present with the value
+ {{CredentialMediationRequirement/conditional}}:
+
+ 1. If |conditionalCreateLifetimeTimer| is expired or |conditionalCreateOrigin| is not |callerOrigin|, throw a "{{NotAllowedError}}" {{DOMException}}.
+
+ 1. Set |lifetimeTimer| to a client-specific default.
+
1. Consider the value of {{PublicKeyCredentialCreationOptions/hints}} and craft the user interface accordingly, as the user-agent sees fit.
1. Start |lifetimeTimer|.
@@ -2182,7 +2200,6 @@ a numbered step. If outdented, it (today) is rendered as a bullet in the midst o
|authenticator| and [=set/remove=] it from |issuedRequests|.
1. Return |constructCredentialAlg| and terminate this algorithm.
-
</dl>
</li>
@@ -2191,7 +2208,7 @@ a numbered step. If outdented, it (today) is rendered as a bullet in the midst o
[[#sctn-make-credential-privacy]] for details.
During the above process, the user agent SHOULD show some UI to the user to guide them in the process of selecting and
-authorizing an authenticator.
+authorizing an authenticator. When <code>|options|.{{CredentialRequestOptions/mediation}}</code> is set to {{CredentialMediationRequirement/conditional}}, prominent modal UI should <i>not</i> be shown <i>unless</i> credential creation was previously consented to.
</div>
@@ -4888,7 +4905,6 @@ client ignores any further responses from the authenticator for the canceled ope
This operation is ignored if it is invoked in an [=authenticator session=] which does not have an [=authenticatorMakeCredential=]
or [=authenticatorGetAssertion=] operation currently in progress.
-
### The <dfn>silentCredentialDiscovery</dfn> operation ### {#sctn-op-silent-discovery}
This is an OPTIONAL operation authenticators MAY support to enable {{CredentialMediationRequirement/conditional}}
@@ -6714,6 +6730,52 @@ During a transition from the FIDO U2F JavaScript API, a [=[RP]=] may have a popu
: Authenticator extension output
:: None.
+### Conditional Create Extension (<dfn>conditionalCreate</dfn>) ### {#sctn-authenticator-conditional-create-extension}
+
+This [=client extension|client=] [=authentication extension=] indicates that the RP would like to create a credential after an authenticaton ceremony is successfully mediated by the user agent.
+
+
+: Extension identifier
+:: `conditionalCreate`
+
+: Operation applicability
+:: [=authentication extension|Authentication=]
+
+: Client extension input
+:: The Boolean value [TRUE] to indicate that this extension is requested by the [=[RP]=].
+ <xmp class="idl">
+ partial dictionary AuthenticationExtensionsClientInputs {
+ boolean conditionalCreate;
+ };
+ </xmp>
+
+: Client extension processing
+
+:: When [[[#sctn-getAssertion|assertion]]:
+ 1. Just after [establishing the RP ID](#GetAssertion-DetermineConditional) perform these steps:
+
+ 1. If <code>|options|.{{CredentialRequestOptions/mediation}}</code> is not present or does not have the value
+ {{CredentialMediationRequirement/conditional}}:
+
+ 1. Throw a "{{NotAllowedError}}" {{DOMException}}
+
+ 1. When [showing conditional assertion form control](GetAssn-ConditionalMediation-Interact-FormControl):
+
+ 1. Inform the user that the RP will create a credential if the user agent mediates the authentication ceremony.
+
+ 1. Set conditionalCreateLifetimeTimer to a client-specific default.
+
+ 1. Set conditionalCreateOrigin to the current origin.
+
+ 1. If the user agent mediates the authentication ceremony while the conditional assertion is running:
+
+ 1. Start conditionalCreateLifetimeTimer.
+
+ 1. Optionally collect an [=authorization gesture=] confirming [=user consent=] to create the credential which may later be used to skip (this step)[#op-makecred-step-user-consent] when processing an associated {{CredentialsContainer/get()|navigator.credentials.get()}} call with <code>|options|.{{CredentialRequestOptions/mediation}}</code> set to {{CredentialMediationRequirement/conditional}}.
+
+: Client extension output
+:: None
+
### Credential Properties Extension (<dfn>credProps</dfn>) ### {#sctn-authenticator-credential-properties-extension}
From eb9dd9f7c23863dc1ae9707127e28093d38e50f7 Mon Sep 17 00:00:00 2001
From: Emil Lundberg <emil@yubico.com>
Date: Wed, 6 Sep 2023 15:42:53 +0200
Subject: [PATCH 02/18] Fix indentation and extraneous opening bracket
---
index.bs | 6 +++---
1 file changed, 3 insertions(+), 3 deletions(-)
diff --git a/index.bs b/index.bs
index 745795620..b9569da00 100644
--- a/index.bs
+++ b/index.bs
@@ -1773,7 +1773,7 @@ When this method is invoked, the user agent MUST execute the following algorithm
1. If <var ignore>sameOriginWithAncestors</var> is [FALSE]:
1. If <code>|options|.{{CredentialRequestOptions/mediation}}</code> is present with the value
- {{CredentialMediationRequirement/conditional}}:
+ {{CredentialMediationRequirement/conditional}}:
1. Throw a "{{NotAllowedError}}" {{DOMException}}
@@ -6751,11 +6751,11 @@ This [=client extension|client=] [=authentication extension=] indicates that the
: Client extension processing
-:: When [[[#sctn-getAssertion|assertion]]:
+:: When [[#sctn-getAssertion|assertion]]:
1. Just after [establishing the RP ID](#GetAssertion-DetermineConditional) perform these steps:
1. If <code>|options|.{{CredentialRequestOptions/mediation}}</code> is not present or does not have the value
- {{CredentialMediationRequirement/conditional}}:
+ {{CredentialMediationRequirement/conditional}}:
1. Throw a "{{NotAllowedError}}" {{DOMException}}
From 65066faee35fbb9740d5cc7769a448d564c4f709 Mon Sep 17 00:00:00 2001
From: Pascoe <pascoe@apple.com>
Date: Mon, 11 Sep 2023 09:34:51 +0200
Subject: [PATCH 03/18] Address comments
---
index.bs | 41 ++++++++++++++++++++++-------------------
1 file changed, 22 insertions(+), 19 deletions(-)
diff --git a/index.bs b/index.bs
index b9569da00..8ce4de7b5 100644
--- a/index.bs
+++ b/index.bs
@@ -1728,12 +1728,12 @@ options, sameOriginWithAncestors)</dfn> [=internal method=] [[!CREDENTIAL-MANAGE
[=[WRP]=] scripts to call {{CredentialsContainer/create()|navigator.credentials.create()}} to request the creation of a new
[=public key credential source=], [=bound credential|bound=] to an [=authenticator=].
-By setting <code>|options|.{{CredentialRequestOptions/mediation}}</code> to {{CredentialMediationRequirement/conditional}},
-[=[RPS]=] can indicate that a prominent modal UI should <i>not</i> be shown <i>unless</i> the user has already consented to create a credential via the [=conditionalCreate|conditionalCreate extension=]). [=[RP]=] script SHOULD first check that [conditionalCreate] is present
+By setting <code>|options|.{{CredentialCreationOptions/mediation}}</code> to {{CredentialMediationRequirement/conditional}},
+[=[RPS]=] can indicate xc that a prominent modal UI should <i>not</i> be shown <i>unless</i> the user has already consented to create a credential via the [=conditionalCreate|conditionalCreate extension=]). [=[RP]=] script SHOULD first check that [conditionalCreate] is present
in {=ClientCapabilities=} in order to avoid the possibility of causing a user-visible error to be returned if the user agent does
not support {{CredentialMediationRequirement/conditional}} [=user mediation=] for {{CredentialsContainer/create()|navigator.credentials.create()}}.
-This {{CredentialsContainer/create()|navigator.credentials.create()}} operation can be aborted by leveraging the {{AbortController}};
+Any {{CredentialsContainer/create()|navigator.credentials.create()}} operation can be aborted by leveraging the {{AbortController}};
see [[dom#abortcontroller-api-integration]] for detailed instructions.
@@ -2282,19 +2282,22 @@ When this method is invoked, the user agent MUST execute the following algorithm
1. Let |pkOptions| be the value of <code>|options|.{{CredentialRequestOptions/publicKey}}</code>.
-1. If <code>|options|.{{CredentialRequestOptions/mediation}}</code> is present with the value
- {{CredentialMediationRequirement/conditional}}:
- 1. Let |credentialIdFilter| be the value of <code>|pkOptions|.{{PublicKeyCredentialRequestOptions/allowCredentials}}</code>.
+ <li id='GetAssn-DetermineConditional'>
+ If <code>|options|.{{CredentialRequestOptions/mediation}}</code> is present with the value
+ {{CredentialMediationRequirement/conditional}}:
+
+ 1. Let |credentialIdFilter| be the value of <code>|pkOptions|.{{PublicKeyCredentialRequestOptions/allowCredentials}}</code>.
- 1. Set <code>|pkOptions|.{{PublicKeyCredentialRequestOptions/allowCredentials}}</code> to [=list/empty=].
+ 1. Set <code>|pkOptions|.{{PublicKeyCredentialRequestOptions/allowCredentials}}</code> to [=list/empty=].
- Note: This prevents [=non-discoverable credentials=] from being used during {{CredentialMediationRequirement/conditional}} requests.
+ Note: This prevents [=non-discoverable credentials=] from being used during {{CredentialMediationRequirement/conditional}} requests.
- 1. Set a timer |lifetimeTimer| to a value of infinity.
+ 1. Set a timer |lifetimeTimer| to a value of infinity.
- Note: |lifetimeTimer| is set to a value of infinity so that the user has the entire lifetime of
- the [=Document=] to interact with any <{input}> form control tagged with a `"webauthn"` [=autofill detail token=]. For example, upon the user clicking in such an input field, the user agent can render a list of discovered credentials for the user to select from, and perhaps also give the user the option to "try another way".
+ Note: |lifetimeTimer| is set to a value of infinity so that the user has the entire lifetime of
+ the [=Document=] to interact with any <{input}> form control tagged with a `"webauthn"` [=autofill detail token=]. For example, upon the user clicking in such an input field, the user agent can render a list of discovered credentials for the user to select from, and perhaps also give the user the option to "try another way".
+ </li>
1. Else:
@@ -6732,7 +6735,7 @@ During a transition from the FIDO U2F JavaScript API, a [=[RP]=] may have a popu
### Conditional Create Extension (<dfn>conditionalCreate</dfn>) ### {#sctn-authenticator-conditional-create-extension}
-This [=client extension|client=] [=authentication extension=] indicates that the RP would like to create a credential after an authenticaton ceremony is successfully mediated by the user agent.
+This [=client extension|client=] [=authentication extension=] indicates that the [=[RP]=] would like to create a credential after an authentication ceremony is successfully mediated by the user agent.
: Extension identifier
@@ -6752,26 +6755,26 @@ This [=client extension|client=] [=authentication extension=] indicates that the
: Client extension processing
:: When [[#sctn-getAssertion|assertion]]:
- 1. Just after [establishing the RP ID](#GetAssertion-DetermineConditional) perform these steps:
+ 1. Just after [establishing the RP ID](#GetAssn-DetermineConditional) perform these steps:
1. If <code>|options|.{{CredentialRequestOptions/mediation}}</code> is not present or does not have the value
{{CredentialMediationRequirement/conditional}}:
1. Throw a "{{NotAllowedError}}" {{DOMException}}
- 1. When [showing conditional assertion form control](GetAssn-ConditionalMediation-Interact-FormControl):
+ 1. When [showing conditional assertion form control](#GetAssn-ConditionalMediation-Interact-FormControl):
- 1. Inform the user that the RP will create a credential if the user agent mediates the authentication ceremony.
+ 1. Inform the user that the [=[RP]=] will create a credential if the user agent mediates the authentication ceremony.
- 1. Set conditionalCreateLifetimeTimer to a client-specific default.
+ 1. Set |conditionalCreateLifetimeTimer| to a client-specific default.
- 1. Set conditionalCreateOrigin to the current origin.
+ 1. Set |conditionalCreateOrigin| to the current origin.
1. If the user agent mediates the authentication ceremony while the conditional assertion is running:
- 1. Start conditionalCreateLifetimeTimer.
+ 1. Start |conditionalCreateLifetimeTimer|.
- 1. Optionally collect an [=authorization gesture=] confirming [=user consent=] to create the credential which may later be used to skip (this step)[#op-makecred-step-user-consent] when processing an associated {{CredentialsContainer/get()|navigator.credentials.get()}} call with <code>|options|.{{CredentialRequestOptions/mediation}}</code> set to {{CredentialMediationRequirement/conditional}}.
+ 1. Optionally collect an [=authorization gesture=] confirming [=user consent=] to create the credential which may later be used to skip (this step)[#op-makecred-step-user-consent].
: Client extension output
:: None
From c14f20ae02133f2f026d7e8d91ca3157152bf709 Mon Sep 17 00:00:00 2001
From: Pascoe <pascoe@apple.com>
Date: Tue, 12 Sep 2023 10:30:25 +0200
Subject: [PATCH 04/18] Remove the requirement that conditionalCreate extension
was used
---
index.bs | 6 ++++--
1 file changed, 4 insertions(+), 2 deletions(-)
diff --git a/index.bs b/index.bs
index 8ce4de7b5..676ab60c4 100644
--- a/index.bs
+++ b/index.bs
@@ -1729,7 +1729,7 @@ options, sameOriginWithAncestors)</dfn> [=internal method=] [[!CREDENTIAL-MANAGE
[=public key credential source=], [=bound credential|bound=] to an [=authenticator=].
By setting <code>|options|.{{CredentialCreationOptions/mediation}}</code> to {{CredentialMediationRequirement/conditional}},
-[=[RPS]=] can indicate xc that a prominent modal UI should <i>not</i> be shown <i>unless</i> the user has already consented to create a credential via the [=conditionalCreate|conditionalCreate extension=]). [=[RP]=] script SHOULD first check that [conditionalCreate] is present
+[=[RPS]=] can indicate that they would like to register a credential without prominent modal UI if user has already consented to create a credential. [=[RP]=] script SHOULD first check that [conditionalCreate] is present
in {=ClientCapabilities=} in order to avoid the possibility of causing a user-visible error to be returned if the user agent does
not support {{CredentialMediationRequirement/conditional}} [=user mediation=] for {{CredentialsContainer/create()|navigator.credentials.create()}}.
@@ -1919,6 +1919,8 @@ a numbered step. If outdented, it (today) is rendered as a bullet in the midst o
1. If |conditionalCreateLifetimeTimer| is expired or |conditionalCreateOrigin| is not |callerOrigin|, throw a "{{NotAllowedError}}" {{DOMException}}.
+ Note: |conditionalCreateLifetimeTimer| and |conditionalCreateOrigin| will be set by the user agent after it believes an authentication ceremony has been completed and the user consents to this type of credential creation.
+
1. Set |lifetimeTimer| to a client-specific default.
1. Consider the value of {{PublicKeyCredentialCreationOptions/hints}} and craft the user interface accordingly, as the user-agent sees fit.
@@ -6735,7 +6737,7 @@ During a transition from the FIDO U2F JavaScript API, a [=[RP]=] may have a popu
### Conditional Create Extension (<dfn>conditionalCreate</dfn>) ### {#sctn-authenticator-conditional-create-extension}
-This [=client extension|client=] [=authentication extension=] indicates that the [=[RP]=] would like to create a credential after an authentication ceremony is successfully mediated by the user agent.
+This [=client extension|client=] [=authentication extension=] indicates that the [=[RP]=] would like to create a credential if the authentication ceremony is completed successfully.
: Extension identifier
From 6c6184bc73b75c7fab3a00ae055947d1ac8de00b Mon Sep 17 00:00:00 2001
From: Pascoe <pascoe@apple.com>
Date: Wed, 20 Dec 2023 10:52:00 -0800
Subject: [PATCH 05/18] Add recommended time period floor for
conditionalCreateLifetimeTimer
---
index.bs | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/index.bs b/index.bs
index 676ab60c4..0732e3daa 100644
--- a/index.bs
+++ b/index.bs
@@ -6768,7 +6768,7 @@ This [=client extension|client=] [=authentication extension=] indicates that the
1. Inform the user that the [=[RP]=] will create a credential if the user agent mediates the authentication ceremony.
- 1. Set |conditionalCreateLifetimeTimer| to a client-specific default.
+ 1. Set |conditionalCreateLifetimeTimer| to a client-specific default. A period of at least two minutes is RECOMMENDED.
1. Set |conditionalCreateOrigin| to the current origin.
From bf5480db1e0ae426916366251155e6f6e944b3c1 Mon Sep 17 00:00:00 2001
From: Pascoe <pascoe@apple.com>
Date: Wed, 7 Feb 2024 11:29:09 -0800
Subject: [PATCH 06/18] Address comments, clarify other means other than
extension may be used to collect consent.
---
index.bs | 7 ++++---
1 file changed, 4 insertions(+), 3 deletions(-)
diff --git a/index.bs b/index.bs
index 0732e3daa..58e6d94b9 100644
--- a/index.bs
+++ b/index.bs
@@ -1919,7 +1919,8 @@ a numbered step. If outdented, it (today) is rendered as a bullet in the midst o
1. If |conditionalCreateLifetimeTimer| is expired or |conditionalCreateOrigin| is not |callerOrigin|, throw a "{{NotAllowedError}}" {{DOMException}}.
- Note: |conditionalCreateLifetimeTimer| and |conditionalCreateOrigin| will be set by the user agent after it believes an authentication ceremony has been completed and the user consents to this type of credential creation.
+ Note: |conditionalCreateLifetimeTimer| and |conditionalCreateOrigin| will be set by the user agent after it believes an authentication ceremony has
+ been completed and the user consents to this type of credential creation. This consent may be collected via means other than the [=conditionalCreate|Conditional Create Extension=].
1. Set |lifetimeTimer| to a client-specific default.
@@ -6737,7 +6738,7 @@ During a transition from the FIDO U2F JavaScript API, a [=[RP]=] may have a popu
### Conditional Create Extension (<dfn>conditionalCreate</dfn>) ### {#sctn-authenticator-conditional-create-extension}
-This [=client extension|client=] [=authentication extension=] indicates that the [=[RP]=] would like to create a credential if the authentication ceremony is completed successfully.
+This [=client extension|client=] [=authentication extension=] indicates that the [=[RP]=] would like to create a credential if the authentication ceremony is completed successfully. This may allow the user agent to collect consent for credential creation during the authentication ceremony, but is not required as the user agent may also collect consent elsewhere.
: Extension identifier
@@ -6756,7 +6757,7 @@ This [=client extension|client=] [=authentication extension=] indicates that the
: Client extension processing
-:: When [[#sctn-getAssertion|assertion]]:
+::
1. Just after [establishing the RP ID](#GetAssn-DetermineConditional) perform these steps:
1. If <code>|options|.{{CredentialRequestOptions/mediation}}</code> is not present or does not have the value
From 2b8521b13ce7e2d27465cda47469b8b293f16651 Mon Sep 17 00:00:00 2001
From: Pascoe <pascoe@apple.com>
Date: Wed, 21 Feb 2024 10:32:13 -0800
Subject: [PATCH 07/18] Remove extension, clarify user agent is responsible for
collecting consent for conditional create
---
index.bs | 49 +------------------------------------------------
1 file changed, 1 insertion(+), 48 deletions(-)
diff --git a/index.bs b/index.bs
index 58e6d94b9..7f7a00e7b 100644
--- a/index.bs
+++ b/index.bs
@@ -2211,7 +2211,7 @@ a numbered step. If outdented, it (today) is rendered as a bullet in the midst o
[[#sctn-make-credential-privacy]] for details.
During the above process, the user agent SHOULD show some UI to the user to guide them in the process of selecting and
-authorizing an authenticator. When <code>|options|.{{CredentialRequestOptions/mediation}}</code> is set to {{CredentialMediationRequirement/conditional}}, prominent modal UI should <i>not</i> be shown <i>unless</i> credential creation was previously consented to.
+authorizing an authenticator. When <code>|options|.{{CredentialRequestOptions/mediation}}</code> is set to {{CredentialMediationRequirement/conditional}}, prominent modal UI should <i>not</i> be shown <i>unless</i> credential creation was previously consented to via means determined by the user agent.
</div>
@@ -6736,53 +6736,6 @@ During a transition from the FIDO U2F JavaScript API, a [=[RP]=] may have a popu
: Authenticator extension output
:: None.
-### Conditional Create Extension (<dfn>conditionalCreate</dfn>) ### {#sctn-authenticator-conditional-create-extension}
-
-This [=client extension|client=] [=authentication extension=] indicates that the [=[RP]=] would like to create a credential if the authentication ceremony is completed successfully. This may allow the user agent to collect consent for credential creation during the authentication ceremony, but is not required as the user agent may also collect consent elsewhere.
-
-
-: Extension identifier
-:: `conditionalCreate`
-
-: Operation applicability
-:: [=authentication extension|Authentication=]
-
-: Client extension input
-:: The Boolean value [TRUE] to indicate that this extension is requested by the [=[RP]=].
- <xmp class="idl">
- partial dictionary AuthenticationExtensionsClientInputs {
- boolean conditionalCreate;
- };
- </xmp>
-
-: Client extension processing
-
-::
- 1. Just after [establishing the RP ID](#GetAssn-DetermineConditional) perform these steps:
-
- 1. If <code>|options|.{{CredentialRequestOptions/mediation}}</code> is not present or does not have the value
- {{CredentialMediationRequirement/conditional}}:
-
- 1. Throw a "{{NotAllowedError}}" {{DOMException}}
-
- 1. When [showing conditional assertion form control](#GetAssn-ConditionalMediation-Interact-FormControl):
-
- 1. Inform the user that the [=[RP]=] will create a credential if the user agent mediates the authentication ceremony.
-
- 1. Set |conditionalCreateLifetimeTimer| to a client-specific default. A period of at least two minutes is RECOMMENDED.
-
- 1. Set |conditionalCreateOrigin| to the current origin.
-
- 1. If the user agent mediates the authentication ceremony while the conditional assertion is running:
-
- 1. Start |conditionalCreateLifetimeTimer|.
-
- 1. Optionally collect an [=authorization gesture=] confirming [=user consent=] to create the credential which may later be used to skip (this step)[#op-makecred-step-user-consent].
-
-: Client extension output
-:: None
-
-
### Credential Properties Extension (<dfn>credProps</dfn>) ### {#sctn-authenticator-credential-properties-extension}
This [=client extension|client=] [=registration extension=] facilitates reporting certain [=credential properties=] known by the [=client=] to the requesting [=[WRP]=] upon creation of a [=public key credential source=] as a result of a [=registration ceremony=].
From 55024a6379854ddaf30f674cada5a4f53fbf96db Mon Sep 17 00:00:00 2001
From: Pascoe <pascoe@apple.com>
Date: Wed, 21 Feb 2024 11:38:39 -0800
Subject: [PATCH 08/18] remove another extension reference
---
index.bs | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/index.bs b/index.bs
index 7f7a00e7b..80e43640a 100644
--- a/index.bs
+++ b/index.bs
@@ -1920,7 +1920,7 @@ a numbered step. If outdented, it (today) is rendered as a bullet in the midst o
1. If |conditionalCreateLifetimeTimer| is expired or |conditionalCreateOrigin| is not |callerOrigin|, throw a "{{NotAllowedError}}" {{DOMException}}.
Note: |conditionalCreateLifetimeTimer| and |conditionalCreateOrigin| will be set by the user agent after it believes an authentication ceremony has
- been completed and the user consents to this type of credential creation. This consent may be collected via means other than the [=conditionalCreate|Conditional Create Extension=].
+ been completed and the user consents to this type of credential creation.
1. Set |lifetimeTimer| to a client-specific default.
From 6906fe648e041f206d9728d36212e45a287eda45 Mon Sep 17 00:00:00 2001
From: Pascoe <pascoe@apple.com>
Date: Wed, 21 Feb 2024 12:17:53 -0800
Subject: [PATCH 09/18] Update isConditionalMediationAvailable and contributors
---
index.bs | 11 ++++++++---
1 file changed, 8 insertions(+), 3 deletions(-)
diff --git a/index.bs b/index.bs
index 80e43640a..cadefe32d 100644
--- a/index.bs
+++ b/index.bs
@@ -36,6 +36,7 @@ Former Editor: Rolf Lindemann, w3cid 84447, Nok Nok Labs, rolf@noknok.com
!Contributors: <a href="mailto:agl@google.com">Adam Langley</a> (Google)
!Contributors: <a href="mailto:mandyam@qti.qualcomm.com">Giridhar Mandyam</a> (Qualcomm)
!Contributors: <a href="mailto:mattmil3@cisco.com">Matthew Miller</a> (Cisco)
+!Contributors: <a href="mailto:pascoe@apple.com">Pascoe</a> (Apple)
!Contributors: <a href="mailto:nsatragno@google.com">Nina Satragno</a> (Google)
!Contributors: <a href="mailto:nick.steele@agilebits.com">Nick Steele</a> (1Password)
!Contributors: <a href="mailto:jiewen_tan@apple.com">Jiewen Tan</a> (Apple)
@@ -1576,15 +1577,16 @@ that are returned to the caller when a new credential is created, or a new asser
: {{PublicKeyCredential/isConditionalMediationAvailable()}}
:: {{PublicKeyCredential}} overrides this method to indicate availability for {{CredentialMediationRequirement/conditional}}
- mediation. [=[WRPS]=] SHOULD verify availability before attempting to set
- <code>|options|.{{CredentialRequestOptions/mediation}}</code> to {{CredentialMediationRequirement/conditional}}.
+ mediation during {{CredentialsContainer/get()|navigator.credentials.get()}}. [=[WRPS]=] SHOULD verify availability before
+ attempting to set <code>|options|.{{CredentialRequestOptions/mediation}}</code> to {{CredentialMediationRequirement/conditional}}.
Upon invocation, a promise is returned that resolves with a value of [TRUE] if {{CredentialMediationRequirement/conditional}}
[=user mediation=] is available, or [FALSE] otherwise.
This method has no arguments and returns a promise to a Boolean value.
- Note: If this method is not present, {{CredentialMediationRequirement/conditional}} [=user mediation=] is not available.
+ Note: If this method is not present, {{CredentialMediationRequirement/conditional}} [=user mediation=] is not available for
+ {{CredentialsContainer/get()|navigator.credentials.get()}}.
: {{PublicKeyCredential/toJSON()}}
:: This operation returns {{RegistrationResponseJSON}} or {{AuthenticationResponseJSON}},
@@ -2203,6 +2205,7 @@ a numbered step. If outdented, it (today) is rendered as a bullet in the midst o
|authenticator| and [=set/remove=] it from |issuedRequests|.
1. Return |constructCredentialAlg| and terminate this algorithm.
+
</dl>
</li>
@@ -4911,6 +4914,7 @@ client ignores any further responses from the authenticator for the canceled ope
This operation is ignored if it is invoked in an [=authenticator session=] which does not have an [=authenticatorMakeCredential=]
or [=authenticatorGetAssertion=] operation currently in progress.
+
### The <dfn>silentCredentialDiscovery</dfn> operation ### {#sctn-op-silent-discovery}
This is an OPTIONAL operation authenticators MAY support to enable {{CredentialMediationRequirement/conditional}}
@@ -6736,6 +6740,7 @@ During a transition from the FIDO U2F JavaScript API, a [=[RP]=] may have a popu
: Authenticator extension output
:: None.
+
### Credential Properties Extension (<dfn>credProps</dfn>) ### {#sctn-authenticator-credential-properties-extension}
This [=client extension|client=] [=registration extension=] facilitates reporting certain [=credential properties=] known by the [=client=] to the requesting [=[WRP]=] upon creation of a [=public key credential source=] as a result of a [=registration ceremony=].
From e9b0448d25d382f20e9a932387a2c5289eaddf75 Mon Sep 17 00:00:00 2001
From: Emil Lundberg <emil@yubico.com>
Date: Tue, 19 Mar 2024 21:33:26 +0100
Subject: [PATCH 10/18] Fix autolinks
---
index.bs | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/index.bs b/index.bs
index 81b0e1a25..40394d95c 100644
--- a/index.bs
+++ b/index.bs
@@ -1741,8 +1741,8 @@ options, sameOriginWithAncestors)</dfn> [=internal method=] [[!CREDENTIAL-MANAGE
[=public key credential source=], [=bound credential|bound=] to an [=authenticator=].
By setting <code>|options|.{{CredentialCreationOptions/mediation}}</code> to {{CredentialMediationRequirement/conditional}},
-[=[RPS]=] can indicate that they would like to register a credential without prominent modal UI if user has already consented to create a credential. [=[RP]=] script SHOULD first check that [conditionalCreate] is present
-in {=ClientCapabilities=} in order to avoid the possibility of causing a user-visible error to be returned if the user agent does
+[=[RPS]=] can indicate that they would like to register a credential without prominent modal UI if user has already consented to create a credential. The [=[RP]=] SHOULD first check that {{ClientCapability/conditionalCreate}} is present
+in the result of {{PublicKeyCredential/getClientCapabilities()}} in order to avoid the possibility of causing a user-visible error to be returned if the user agent does
not support {{CredentialMediationRequirement/conditional}} [=user mediation=] for {{CredentialsContainer/create()|navigator.credentials.create()}}.
Any {{CredentialsContainer/create()|navigator.credentials.create()}} operation can be aborted by leveraging the {{AbortController}};
From aca236f39be577276a7ff962badc33ad6f0d41fb Mon Sep 17 00:00:00 2001
From: Emil Lundberg <emil@yubico.com>
Date: Tue, 19 Mar 2024 21:42:45 +0100
Subject: [PATCH 11/18] Revert unused change
---
index.bs | 19 ++++++++-----------
1 file changed, 8 insertions(+), 11 deletions(-)
diff --git a/index.bs b/index.bs
index 40394d95c..24a37dfd5 100644
--- a/index.bs
+++ b/index.bs
@@ -2296,22 +2296,19 @@ When this method is invoked, the user agent MUST execute the following algorithm
1. Let |pkOptions| be the value of <code>|options|.{{CredentialRequestOptions/publicKey}}</code>.
+1. If <code>|options|.{{CredentialRequestOptions/mediation}}</code> is present with the value
+ {{CredentialMediationRequirement/conditional}}:
- <li id='GetAssn-DetermineConditional'>
- If <code>|options|.{{CredentialRequestOptions/mediation}}</code> is present with the value
- {{CredentialMediationRequirement/conditional}}:
-
- 1. Let |credentialIdFilter| be the value of <code>|pkOptions|.{{PublicKeyCredentialRequestOptions/allowCredentials}}</code>.
+ 1. Let |credentialIdFilter| be the value of <code>|pkOptions|.{{PublicKeyCredentialRequestOptions/allowCredentials}}</code>.
- 1. Set <code>|pkOptions|.{{PublicKeyCredentialRequestOptions/allowCredentials}}</code> to [=list/empty=].
+ 1. Set <code>|pkOptions|.{{PublicKeyCredentialRequestOptions/allowCredentials}}</code> to [=list/empty=].
- Note: This prevents [=non-discoverable credentials=] from being used during {{CredentialMediationRequirement/conditional}} requests.
+ Note: This prevents [=non-discoverable credentials=] from being used during {{CredentialMediationRequirement/conditional}} requests.
- 1. Set a timer |lifetimeTimer| to a value of infinity.
+ 1. Set a timer |lifetimeTimer| to a value of infinity.
- Note: |lifetimeTimer| is set to a value of infinity so that the user has the entire lifetime of
- the [=Document=] to interact with any <{input}> form control tagged with a `"webauthn"` [=autofill detail token=]. For example, upon the user clicking in such an input field, the user agent can render a list of discovered credentials for the user to select from, and perhaps also give the user the option to "try another way".
- </li>
+ Note: |lifetimeTimer| is set to a value of infinity so that the user has the entire lifetime of
+ the [=Document=] to interact with any <{input}> form control tagged with a `"webauthn"` [=autofill detail token=]. For example, upon the user clicking in such an input field, the user agent can render a list of discovered credentials for the user to select from, and perhaps also give the user the option to "try another way".
1. Else:
From 763831bdd1a2d9e60d2d74378caab20c1ca0a6c6 Mon Sep 17 00:00:00 2001
From: pascoe <pascoe@apple.com>
Date: Tue, 19 Mar 2024 14:54:43 -0700
Subject: [PATCH 12/18] Address emlun's comments
---
index.bs | 12 ++++++++----
1 file changed, 8 insertions(+), 4 deletions(-)
diff --git a/index.bs b/index.bs
index 24a37dfd5..03fb9efa9 100644
--- a/index.bs
+++ b/index.bs
@@ -1928,12 +1928,16 @@ a numbered step. If outdented, it (today) is rendered as a bullet in the midst o
1. If <code>|options|.{{CredentialRequestOptions/mediation}}</code> is present with the value
{{CredentialMediationRequirement/conditional}}:
- 1. If |conditionalCreateLifetimeTimer| is expired or |conditionalCreateOrigin| is not |callerOrigin|, throw a "{{NotAllowedError}}" {{DOMException}}.
+ 1. If the user agent has not recently mediated an authentication, the origin of said authentication is not |callerOrigin|, or the user
+ does not consent to this type of credential creation, throw a "{{NotAllowedError}}" {{DOMException}}.
- Note: |conditionalCreateLifetimeTimer| and |conditionalCreateOrigin| will be set by the user agent after it believes an authentication ceremony has
- been completed and the user consents to this type of credential creation.
+ Note: The user agent will note when it believes an authentication ceremony has
+ been completed.
- 1. Set |lifetimeTimer| to a client-specific default.
+ 1. If <code>|pkOptions|.{{PublicKeyCredentialRequestOptions/timeout}}</code> is present, check if its value lies
+ within a reasonable range as defined by the [=client=] and if not, correct it to the closest value lying within that range.
+ Set a timer |lifetimeTimer| to this adjusted value. If <code>|pkOptions|.{{PublicKeyCredentialRequestOptions/timeout}}</code>
+ is not present, then set |lifetimeTimer| to a [=client=]-specific default.
1. Consider the value of {{PublicKeyCredentialCreationOptions/hints}} and craft the user interface accordingly, as the user-agent sees fit.
From 5d6c2059f0c4c84e2a051232b933b56296cb8efa Mon Sep 17 00:00:00 2001
From: pascoe <pascoe@apple.com>
Date: Tue, 19 Mar 2024 15:02:28 -0700
Subject: [PATCH 13/18] CredentialRequestOptions->CredentialCreationOptions
---
index.bs | 10 +++++-----
1 file changed, 5 insertions(+), 5 deletions(-)
diff --git a/index.bs b/index.bs
index 03fb9efa9..5fc163a93 100644
--- a/index.bs
+++ b/index.bs
@@ -1784,7 +1784,7 @@ When this method is invoked, the user agent MUST execute the following algorithm
1. If <var ignore>sameOriginWithAncestors</var> is [FALSE]:
- 1. If <code>|options|.{{CredentialRequestOptions/mediation}}</code> is present with the value
+ 1. If <code>|options|.{{CredentialCreationOptions/mediation}}</code> is present with the value
{{CredentialMediationRequirement/conditional}}:
1. Throw a "{{NotAllowedError}}" {{DOMException}}
@@ -1925,7 +1925,7 @@ a numbered step. If outdented, it (today) is rendered as a bullet in the midst o
[=authenticators=] can be <a href="https://en.wikipedia.org/w/index.php?title=Hot_plug">hot-plugged</a> into (e.g., via USB)
or discovered (e.g., via NFC or Bluetooth) by the [=client=] by various mechanisms, or permanently built into the [=client=].
-1. If <code>|options|.{{CredentialRequestOptions/mediation}}</code> is present with the value
+1. If <code>|options|.{{CredentialCreationOptions/mediation}}</code> is present with the value
{{CredentialMediationRequirement/conditional}}:
1. If the user agent has not recently mediated an authentication, the origin of said authentication is not |callerOrigin|, or the user
@@ -1934,9 +1934,9 @@ a numbered step. If outdented, it (today) is rendered as a bullet in the midst o
Note: The user agent will note when it believes an authentication ceremony has
been completed.
- 1. If <code>|pkOptions|.{{PublicKeyCredentialRequestOptions/timeout}}</code> is present, check if its value lies
+ 1. If <code>|pkOptions|.{{CredentialCreationOptions/timeout}}</code> is present, check if its value lies
within a reasonable range as defined by the [=client=] and if not, correct it to the closest value lying within that range.
- Set a timer |lifetimeTimer| to this adjusted value. If <code>|pkOptions|.{{PublicKeyCredentialRequestOptions/timeout}}</code>
+ Set a timer |lifetimeTimer| to this adjusted value. If <code>|pkOptions|.{{CredentialCreationOptions/timeout}}</code>
is not present, then set |lifetimeTimer| to a [=client=]-specific default.
1. Consider the value of {{PublicKeyCredentialCreationOptions/hints}} and craft the user interface accordingly, as the user-agent sees fit.
@@ -2226,7 +2226,7 @@ a numbered step. If outdented, it (today) is rendered as a bullet in the midst o
[[#sctn-make-credential-privacy]] for details.
During the above process, the user agent SHOULD show some UI to the user to guide them in the process of selecting and
-authorizing an authenticator. When <code>|options|.{{CredentialRequestOptions/mediation}}</code> is set to {{CredentialMediationRequirement/conditional}}, prominent modal UI should <i>not</i> be shown <i>unless</i> credential creation was previously consented to via means determined by the user agent.
+authorizing an authenticator. When <code>|options|.{{CredentialCreationOptions/mediation}}</code> is set to {{CredentialMediationRequirement/conditional}}, prominent modal UI should <i>not</i> be shown <i>unless</i> credential creation was previously consented to via means determined by the user agent.
</div>
From ae8e0fc179b7c0e20cd6319564595fcab20386f5 Mon Sep 17 00:00:00 2001
From: pascoe <pascoe@apple.com>
Date: Tue, 19 Mar 2024 15:49:45 -0700
Subject: [PATCH 14/18] Address emlun's other comments
---
index.bs | 12 ++++--------
1 file changed, 4 insertions(+), 8 deletions(-)
diff --git a/index.bs b/index.bs
index 5fc163a93..29223cca2 100644
--- a/index.bs
+++ b/index.bs
@@ -1929,15 +1929,11 @@ a numbered step. If outdented, it (today) is rendered as a bullet in the midst o
{{CredentialMediationRequirement/conditional}}:
1. If the user agent has not recently mediated an authentication, the origin of said authentication is not |callerOrigin|, or the user
- does not consent to this type of credential creation, throw a "{{NotAllowedError}}" {{DOMException}}.
+ does not consent to this type of credential creation, throw a "{{NotAllowedError}}" {{DOMException}}.
- Note: The user agent will note when it believes an authentication ceremony has
- been completed.
-
- 1. If <code>|pkOptions|.{{CredentialCreationOptions/timeout}}</code> is present, check if its value lies
- within a reasonable range as defined by the [=client=] and if not, correct it to the closest value lying within that range.
- Set a timer |lifetimeTimer| to this adjusted value. If <code>|pkOptions|.{{CredentialCreationOptions/timeout}}</code>
- is not present, then set |lifetimeTimer| to a [=client=]-specific default.
+ It is up to the user agent to decide when it believes an authentication ceremony has
+ been completed. That authentication ceremony MAY be performed via other means than the
+ [=Web Authentication API=].
1. Consider the value of {{PublicKeyCredentialCreationOptions/hints}} and craft the user interface accordingly, as the user-agent sees fit.
From 0318deecd3e8b4f7ac18548a71798e15f6b8cdcd Mon Sep 17 00:00:00 2001
From: pascoe <pascoe@apple.com>
Date: Wed, 3 Apr 2024 11:10:15 -0700
Subject: [PATCH 15/18] Require uv=0,up=0 for conditionalCreate
---
index.bs | 11 ++++++++++-
1 file changed, 10 insertions(+), 1 deletion(-)
diff --git a/index.bs b/index.bs
index 29223cca2..8cb651eae 100644
--- a/index.bs
+++ b/index.bs
@@ -1744,6 +1744,8 @@ By setting <code>|options|.{{CredentialCreationOptions/mediation}}</code> to {{C
[=[RPS]=] can indicate that they would like to register a credential without prominent modal UI if user has already consented to create a credential. The [=[RP]=] SHOULD first check that {{ClientCapability/conditionalCreate}} is present
in the result of {{PublicKeyCredential/getClientCapabilities()}} in order to avoid the possibility of causing a user-visible error to be returned if the user agent does
not support {{CredentialMediationRequirement/conditional}} [=user mediation=] for {{CredentialsContainer/create()|navigator.credentials.create()}}.
+The authenticator SHOULD set BOTH |userPresence| and |userVerification| to |FALSE| when <code>|options|.{{CredentialCreationOptions/mediation}}</code> is set to {{CredentialMediationRequirement/conditional}}
+unless explicitly collected during the ceremony.
Any {{CredentialsContainer/create()|navigator.credentials.create()}} operation can be aborted by leveraging the {{AbortController}};
see [[dom#abortcontroller-api-integration]] for detailed instructions.
@@ -2023,7 +2025,14 @@ a numbered step. If outdented, it (today) is rendered as a bullet in the midst o
<dl class="switch">
: is set to {{UserVerificationRequirement/required}}
- :: Let |userVerification| be [TRUE].
+ :: If <code>|options|.{{CredentialCreationOptions/mediation}}</code> is set to
+ <dl class="switch">
+ : {{CredentialMediationRequirement/conditional}}
+ :: throw a {{NotAllowedError}} {{DOMException}} unless it can be explicitly collected during the ceremony.
+
+ : empty or another value
+ :: Let |userVerification| be [TRUE].
+ </dl>
: is set to {{UserVerificationRequirement/preferred}}
:: If the |authenticator|
From f2ccac781e12853a6087cad0a508220b3e0be015 Mon Sep 17 00:00:00 2001
From: pascoe <pascoe@apple.com>
Date: Fri, 19 Apr 2024 10:17:34 -0700
Subject: [PATCH 16/18] Address Tim and Emlun's comments
---
index.bs | 22 +++++++++-------------
1 file changed, 9 insertions(+), 13 deletions(-)
diff --git a/index.bs b/index.bs
index 8cb651eae..dda7b3abd 100644
--- a/index.bs
+++ b/index.bs
@@ -1744,8 +1744,8 @@ By setting <code>|options|.{{CredentialCreationOptions/mediation}}</code> to {{C
[=[RPS]=] can indicate that they would like to register a credential without prominent modal UI if user has already consented to create a credential. The [=[RP]=] SHOULD first check that {{ClientCapability/conditionalCreate}} is present
in the result of {{PublicKeyCredential/getClientCapabilities()}} in order to avoid the possibility of causing a user-visible error to be returned if the user agent does
not support {{CredentialMediationRequirement/conditional}} [=user mediation=] for {{CredentialsContainer/create()|navigator.credentials.create()}}.
-The authenticator SHOULD set BOTH |userPresence| and |userVerification| to |FALSE| when <code>|options|.{{CredentialCreationOptions/mediation}}</code> is set to {{CredentialMediationRequirement/conditional}}
-unless explicitly collected during the ceremony.
+The client MUST set BOTH |requireUserPresence| and |requireUserVerification| to |FALSE| when <code>|options|.{{CredentialCreationOptions/mediation}}</code> is set to {{CredentialMediationRequirement/conditional}}
+unless they may explicitly collected during the ceremony.
Any {{CredentialsContainer/create()|navigator.credentials.create()}} operation can be aborted by leveraging the {{AbortController}};
see [[dom#abortcontroller-api-integration]] for detailed instructions.
@@ -2025,14 +2025,10 @@ a numbered step. If outdented, it (today) is rendered as a bullet in the midst o
<dl class="switch">
: is set to {{UserVerificationRequirement/required}}
- :: If <code>|options|.{{CredentialCreationOptions/mediation}}</code> is set to
- <dl class="switch">
- : {{CredentialMediationRequirement/conditional}}
- :: throw a {{NotAllowedError}} {{DOMException}} unless it can be explicitly collected during the ceremony.
-
- : empty or another value
- :: Let |userVerification| be [TRUE].
- </dl>
+ :: 1. If <code>|options|.{{CredentialCreationOptions/mediation}}</code> is set to {{CredentialMediationRequirement/conditional}}
+ and [=user verification=] cannot be collected during the ceremony,
+ throw a {{ConstraintError}} {{DOMException}}.
+ 1. Let |userVerification| be [TRUE].
: is set to {{UserVerificationRequirement/preferred}}
:: If the |authenticator|
@@ -4644,9 +4640,9 @@ It takes the following input parameters:
: |requireResidentKey|
:: The [=effective resident key requirement for credential creation=], a Boolean value determined by the [=client=].
: |requireUserPresence|
-:: The constant Boolean value [TRUE].
+:: The constant Boolean value [TRUE] unless <code>|options|.{{CredentialCreationOptions/mediation}}</code> is set to {{CredentialMediationRequirement/conditional}}.
It is included here as a pseudo-parameter to simplify applying this abstract authenticator model to implementations that may
- wish to make a [=test of user presence=] optional although WebAuthn does not.
+ wish to make a [=test of user presence=] optional.
: |requireUserVerification|
:: The [=effective user verification requirement for credential creation=], a Boolean value determined by the [=client=].
: |credTypesAndPubKeyAlgs|
@@ -5401,7 +5397,7 @@ a numbered step. If outdented, it (today) is rendered as a bullet in the midst o
1. Verify that the <code>[=rpIdHash=]</code> in |authData| is the SHA-256 hash of the [=RP ID=] expected by the [=[RP]=].
-1. Verify that the [=UP=] bit of the <code>[=flags=]</code> in |authData| is set.
+1. Verify that the [=UP=] bit of the <code>[=flags=]</code> in |authData| is set, unless <code>|options|.{{CredentialCreationOptions/mediation}}</code> is set to {{CredentialMediationRequirement/conditional}}.
1. If the [=[RP]=] requires [=user verification=] for this registration,
verify that the [=authData/flags/UV=] bit of the <code>[=flags=]</code> in |authData| is set.
From 9a3061305dcff49d1567cdb155da01d236a152ea Mon Sep 17 00:00:00 2001
From: Pascoe <pascoe@apple.com>
Date: Wed, 1 May 2024 10:12:54 -0700
Subject: [PATCH 17/18] Address Tim's comment
---
index.bs | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/index.bs b/index.bs
index dda7b3abd..4899b5541 100644
--- a/index.bs
+++ b/index.bs
@@ -1745,7 +1745,7 @@ By setting <code>|options|.{{CredentialCreationOptions/mediation}}</code> to {{C
in the result of {{PublicKeyCredential/getClientCapabilities()}} in order to avoid the possibility of causing a user-visible error to be returned if the user agent does
not support {{CredentialMediationRequirement/conditional}} [=user mediation=] for {{CredentialsContainer/create()|navigator.credentials.create()}}.
The client MUST set BOTH |requireUserPresence| and |requireUserVerification| to |FALSE| when <code>|options|.{{CredentialCreationOptions/mediation}}</code> is set to {{CredentialMediationRequirement/conditional}}
-unless they may explicitly collected during the ceremony.
+unless they may explicitly performed during the ceremony.
Any {{CredentialsContainer/create()|navigator.credentials.create()}} operation can be aborted by leveraging the {{AbortController}};
see [[dom#abortcontroller-api-integration]] for detailed instructions.
From dde3ab327386487eee53b6e83999be72373711b4 Mon Sep 17 00:00:00 2001
From: Pascoe <pascoe@apple.com>
Date: Wed, 15 May 2024 08:25:21 -0700
Subject: [PATCH 18/18] Address Matt's comments
---
index.bs | 4 +---
1 file changed, 1 insertion(+), 3 deletions(-)
diff --git a/index.bs b/index.bs
index 4899b5541..41626ea9f 100644
--- a/index.bs
+++ b/index.bs
@@ -4640,9 +4640,7 @@ It takes the following input parameters:
: |requireResidentKey|
:: The [=effective resident key requirement for credential creation=], a Boolean value determined by the [=client=].
: |requireUserPresence|
-:: The constant Boolean value [TRUE] unless <code>|options|.{{CredentialCreationOptions/mediation}}</code> is set to {{CredentialMediationRequirement/conditional}}.
- It is included here as a pseudo-parameter to simplify applying this abstract authenticator model to implementations that may
- wish to make a [=test of user presence=] optional.
+:: The constant Boolean value [TRUE], or |FALSE| when <code>|options|.{{CredentialCreationOptions/mediation}}</code> is set to {{CredentialMediationRequirement/conditional}} and the user agent previously collected consent from the user.
: |requireUserVerification|
:: The [=effective user verification requirement for credential creation=], a Boolean value determined by the [=client=].
: |credTypesAndPubKeyAlgs|