Skip to content

Commit

Permalink
Merge pull request #2032 from w3c/issue-2030-step-numbers
Browse files Browse the repository at this point in the history
Fix out-of-sync numbers in algorithm step references
  • Loading branch information
emlun authored Apr 3, 2024
2 parents 18b08a2 + fc39edd commit 064041d
Showing 1 changed file with 12 additions and 12 deletions.
24 changes: 12 additions & 12 deletions index.bs
Original file line number Diff line number Diff line change
Expand Up @@ -2024,7 +2024,7 @@ a numbered step. If outdented, it (today) is rendered as a bullet in the midst o
<dl class="switch">

: is set to {{AttestationConveyancePreference/enterprise}}
:: Let |enterpriseAttestationPossible| be [TRUE] if the user agent wishes to support enterprise attestation for <code>|pkOptions|.{{PublicKeyCredentialCreationOptions/rp}}.{{PublicKeyCredentialRpEntity/id}}</code> (see [Step 8](#CreateCred-DetermineRpId), above). Otherwise [FALSE].
:: Let |enterpriseAttestationPossible| be [TRUE] if the user agent wishes to support enterprise attestation for <code>|pkOptions|.{{PublicKeyCredentialCreationOptions/rp}}.{{PublicKeyCredentialRpEntity/id}}</code> (see [step 8](#CreateCred-DetermineRpId), above). Otherwise [FALSE].

: otherwise
:: Let |enterpriseAttestationPossible| be [FALSE].
Expand Down Expand Up @@ -5192,7 +5192,7 @@ calling {{CredentialsContainer/create()|navigator.credentials.create()}} they se
[=attestation type=] as a part of [=verification procedure|verification=]. See the "Verification procedure" subsections of
[[#sctn-defined-attestation-formats]]. See also [[#sctn-attestation-privacy]]. For all [=attestation types=] defined in this
section other than [=self attestation|Self=] and [=None=], [=[RP]=] [=verification procedure|verification=] is followed by
matching the [=attestation trust path|trust path=] to an acceptable root certificate per [step 23](#reg-ceremony-assess-trust)
matching the [=attestation trust path|trust path=] to an acceptable root certificate per [step 24](#reg-ceremony-assess-trust)
of [[#sctn-registering-a-new-credential]].
Differentiating these [=attestation types=] becomes useful primarily as a means for determining if the [=attestation=] is acceptable
under [=[RP]=] policy.
Expand Down Expand Up @@ -5439,12 +5439,12 @@ a numbered step. If outdented, it (today) is rendered as a bullet in the midst o
<!-- Note: this next step is actually a top-level step, but bikeshed wanted it indented this much in order to render it as
a numbered step. If outdented, it (today) is rendered as a bullet in the midst of a numbered list -->
<li id="reg-ceremony-assess-trust">
Assess the attestation trustworthiness using the outputs of the [=verification procedure=] in [step 21](#reg-ceremony-verify-attestation), as follows:
Assess the attestation trustworthiness using the outputs of the [=verification procedure=] in [step 22](#reg-ceremony-verify-attestation), as follows:
- If [=None|no attestation=] was provided, verify that [=None=] attestation is acceptable under [=[RP]=] policy.
- If [=self attestation=] was used, verify that [=self attestation=] is acceptable under [=[RP]=] policy.
- Otherwise, use the X.509 certificates returned as the [=attestation trust path=] from the [=verification procedure=]
to verify that the attestation public key either correctly chains up to an acceptable root certificate, or is itself an acceptable certificate
(i.e., it and the root certificate obtained in [Step 22](#reg-ceremony-attestation-trust-anchors) may be the same).
(i.e., it and the root certificate obtained in [step 23](#reg-ceremony-attestation-trust-anchors) may be the same).
</li>

1. Verify that the <code>[=credentialId=]</code> is &le; 1023 bytes. Credential IDs larger than this many bytes SHOULD cause the RP to fail this [=registration ceremony=].
Expand Down Expand Up @@ -5497,7 +5497,7 @@ a numbered step. If outdented, it (today) is rendered as a bullet in the midst o
</dl>
</li>

1. If the attestation statement |attStmt| successfully verified but is not trustworthy per [step 23](#reg-ceremony-assess-trust) above,
1. If the attestation statement |attStmt| successfully verified but is not trustworthy per [step 24](#reg-ceremony-assess-trust) above,
the [=[RP]=] SHOULD fail the [=registration ceremony=].

NOTE: However, if permitted by policy, the [=[RP]=] MAY register the [=credential ID=] and credential public key but treat the
Expand All @@ -5506,7 +5506,7 @@ a numbered step. If outdented, it (today) is rendered as a bullet in the midst o
See [[FIDOSecRef]] and [[UAFProtocol]] for a more detailed discussion.

Verification of [=attestation objects=] requires that the [=[RP]=] has a trusted method of determining acceptable trust anchors
in [step 22](#reg-ceremony-attestation-trust-anchors) above.
in [step 23](#reg-ceremony-attestation-trust-anchors) above.
Also, if certificates are being used, the [=[RP]=] MUST have access to certificate status information for the
intermediate CA certificates. The [=[RP]=] MUST also be able to build the attestation certificate chain if the client did not
provide this chain in the attestation information.
Expand Down Expand Up @@ -6981,10 +6981,10 @@ However, [=authenticators=] that do not utilize [[!FIDO-CTAP]] do not necessaril
1. Set {{AuthenticationExtensionsLargeBlobOutputs/supported}} to [TRUE].

Note: This is in anticipation of an authenticator capable of storing large blobs becoming available.
It occurs during extension processing in [Step 12](#CreateCred-process-extensions) of {{PublicKeyCredential/[[Create]]()}}.
It occurs during extension processing in [step 12](#CreateCred-process-extensions) of {{PublicKeyCredential/[[Create]]()}}.
The {{AuthenticationExtensionsLargeBlobOutputs}} will be abandoned if no satisfactory authenticator becomes available.

1. If a [=create/candidate authenticator=] becomes available ([Step 20](#CreateCred-async-loop) of {{PublicKeyCredential/[[Create]]()}}) then,
1. If a [=create/candidate authenticator=] becomes available ([step 21](#CreateCred-async-loop) of {{PublicKeyCredential/[[Create]]()}}) then,
before evaluating any <code>|options|</code>, [=iteration/continue=] (i.e. ignore the [=create/candidate authenticator=])
if the [=create/candidate authenticator=] is not capable of storing large blobs.
1. Otherwise (i.e. {{AuthenticationExtensionsLargeBlobInputs/support}} is absent or has the value {{LargeBlobSupport/preferred}}):
Expand Down Expand Up @@ -7447,7 +7447,7 @@ The [=supplementalPubKeys=] extension adds the following [=struct/item=] to [=cr
##### Registration (`create()`) ##### {#sctn-supplemental-public-keys-extension-verification-create}

If the [=[RP]=] requested the `supplementalPubKeys` extension in a {{CredentialsContainer/create()|navigator.credentials.create()}} call,
then the below verification steps are performed in the context of [step 19](#reg-ceremony-verify-extension-outputs)
then the below verification steps are performed in the context of [step 20](#reg-ceremony-verify-extension-outputs)
of [[#sctn-registering-a-new-credential]] using these variables established therein: |credential|, |clientExtensionResults|, |authData|, and |hash|.
[=[RP]=] policy may specify whether a response without a `supplementalPubKeys` extension output is acceptable.

Expand Down Expand Up @@ -7488,15 +7488,15 @@ of [[#sctn-registering-a-new-credential]] using these variables established ther
:: The value of |attStmt|.
</dl>

In [step 26](#reg-ceremony-store-credential-record) of [[#sctn-registering-a-new-credential]],
In [step 27](#reg-ceremony-store-credential-record) of [[#sctn-registering-a-new-credential]],
add this [=supplemental public key record=] to the [$credential record/supplementalPubKeys$] member of the new [=credential record=].

See also [[#sctn-supplemental-public-keys-extension-usage]] for further details.

##### Authentication (`get()`) ##### {#sctn-supplemental-public-keys-extension-verification-get}

If the [=[RP]=] requested the `supplementalPubKeys` extension in a {{CredentialsContainer/get()|navigator.credentials.get()}} call,
then the below verification steps are performed in the context of [step 17](#authn-ceremony-verify-extension-outputs)
then the below verification steps are performed in the context of [step 19](#authn-ceremony-verify-extension-outputs)
of [[#sctn-verifying-assertion]] using these variables established therein: |credential|, |clientExtensionResults|, |authData|, |hash|, and |credentialRecord|.
[=[RP]=] policy may specify whether a response without a `supplementalPubKeys` extension output is acceptable.

Expand Down Expand Up @@ -7612,7 +7612,7 @@ To <dfn abstract-op>Create a new supplemental public key record</dfn>, perform t
:: The value of |attStmt|.
</dl>

In [step 22](#authn-ceremony-update-credential-record) of [[#sctn-verifying-assertion]],
In [step 23](#authn-ceremony-update-credential-record) of [[#sctn-verifying-assertion]],
[=set/append=] this [=supplemental public key record=] to |credentialRecord|.[$credential record/supplementalPubKeys$].


Expand Down

0 comments on commit 064041d

Please sign in to comment.