diff --git a/src/draft-sqrl.xml b/src/draft-sqrl.xml index 2c60ea8..a7d0dfc 100644 --- a/src/draft-sqrl.xml +++ b/src/draft-sqrl.xml @@ -928,7 +928,7 @@ VUK = ed25519_public_key( curve25519_key_agreement( ILK, RLK ));]]> The server MUST declare the set of supported protocol versions, and this declaration MUST be first in the client's argument list. See . Base64url-encoded opaque token that is a never-repeating cryptographically-strong nonce. The nut MAY contain reversibly encrypted data to help the server associate and maintain state. It MUST be included with every response to prevent reuse/replay and hijacking attacks. As with all of SQRL's base64 values, any trailing equals signs must be stripped. [add xref here once section on nut is complete] - Transaction Information Flags. A single hexadecimal-encoded integer that MUST be included in every server response. The "0x" prefix is included here for clarity, but they are not needed or used in the TIF's value. + Transaction Information Flags. A single hexadecimal-encoded integer that MUST be included in every server response. The "0x" prefix is included here for clarity, but is not needed or used in the TIF's value. Flag Description @@ -938,15 +938,15 @@ VUK = ed25519_public_key( curve25519_key_agreement( ILK, RLK ));]]> 0x08SQRL Disabled. Indicates that the SQRL authentication for this identity has previously been disabled. While this bit is set, any attempt at authentication MUST fail. This bit can ONLY be reset, and the identity re-enabled, by the "enable=" parameter from the client signed by the URS for the identity known to the server. 0x10Function(s) Not Supported. The client requested one or more SQRL functions that the server does not currently support. The server MUST also fail the query by setting 0x40 Command Failed. 0x20Transient Error. Indicates that the client signature(s) are correct, but something about the query prevented the command from completing. MUST be accompanied by a fresh "nut=" and a new "qry=" parameter. The server is requesting that the client retry and reissue the command with the new nut and query values. The server MUST also fail the query by setting 0x40 Command Failed. - 0x40Command Failed. Indicates that the server has had a problem processing the client's query. No change is made to the user's account or login status. With SQRL, either everything succeeds, or nothing happens. When set without 0x80 Client Failure, the trouble was not with the client's data, protocol, etc. but with some other aspect of the request failing. The server MAY use the "ask=" parameter to explain the problem to the client's user. When this flag is activated, the client MUST consider all other TIFs other than 0x80 to be invalid. + 0x40Command Failed. Indicates that the server has had a problem processing the client's query. No change is made to the user's account or login status. With SQRL, either everything succeeds, or nothing happens. When set without 0x80 Client Failure, the trouble was not with the client's data, protocol, etc. but with some other aspect of the request failing. The server MAY use the "ask=" parameter to explain the problem to the client's user. If neither ID Match bit (0x01 and 0x02) is set, then the problem may be an unknown identity; the client should try with successive previous identities, if available, and if all previous identities fail, the user is unknown to the server. When this flag is activated, the client MUST consider all other TIFs other than 0x10, 0x20, 0x80, and 0x100 to be invalid. 0x80Client Failure. Some aspect of the client's submitted query (other than expired but otherwise valid state information) was incorrect and prevented the server from understanding and/or completing the requested action. Moreover, this is not an issue the server expects could be fixed by having the client reissue the command with a fresh nut. The server MUST also set 0x40 Command Failed. 0x100Bad ID Association. The server may request reverification of the user's SQRL identity after a successful authentication. If it then receives a SQRL query using that nut but with a different SQRL identity, the server MUST reply with 0x100 Bad ID Association along with 0x40 Command Failed and 0x80 Client Failure. Note that the number of characters in the "tif=" value may vary depending on the number of characters required to represent the most significant bit set within the value. Later versions of the SQRL protocol may expand this list as needed. Therefore, there MUST NOT be any restrictions on or assumptions about the length of the "tif=" value. SQRL clients MUST immediately terminate any connection and abort any authentication operation with any SQRL server that includes TIF bits not defined. The query path. Instructs the client to query the provided server object in its next query (if any). MUST be included in every reply. MUST contain the full path from the root ("/"), and MUST NOT contain the scheme, domain name, or port. - Redirection URL. MUST be provided in response to any command other than "query" when the SQRL client's query includes the "opt=cps" parameter. The server MUST NOT authenticate the current web browser sessio, but instead uset his parameter to provide the client with a URL taking the user to a page showing the result of the authentication. - The Secret INdex. The server MAY include this parameter to request an identity-based, high-entropy, 256-bit indexed secret from the client. The client will hash this value via a secondary identity-keyed HMAC256. Servers MAY request any number of indexed secret values. SHOULD contain a cryptographically-secure degree of entropy. + Redirection URL. MUST be provided in response to any command other than "query" when the SQRL client's query includes the "opt=cps" parameter. The server MUST NOT authenticate the current web browser session, but instead use this parameter to provide the client with a URL taking the user to a page showing the result of the authentication. + The Secret INdex. The server MAY include this parameter to request a 256-bit indexed secret from the client. The client will hash this value via a secondary identity-keyed HMAC256. Servers MAY request any number of indexed secret values. SHOULD contain a cryptographically-secure degree of entropy. Server Unlock Key. When the server receives a successful authentication on a PIDK, or when the existing SQRL account is disabled, the server MUST provide the SUK to the client so that the client may either re-enable the user's account, update the user's identity, or remove the user's account entirely. A simple but flexible means for a remote server to gain a response from the SQRL client's user. The value MUST contain the base64url-encoded text to display to the user, and MAY contain one or two button parameters separated by tildes. If no buttons are specified, a simple "OK" button will be displayed to the user. A button parameter consists of base64url-encoded text to display in the button, and MAY be followed by a semicolon delimiting a URL. If the user selects a button where a URL is provided, the SQRL client will submit the link to its host operating system for handling. All text MUST be UTF-8 encoded to support international characters. OPTIONAL CANcellation redirection URL. If "opt=cps" is set but the authentication is aborted by the user and this value is present, the SQRL client will redirect the pending browser page to the URL specified in this parameter.