- From: Vijay Bharadwaj <vijaybh@microsoft.com>
- Date: Fri, 22 Jul 2016 06:19:08 +0000
- To: W3C WebAuthn WG <public-webauthn@w3.org>, Rolf Lindemann <rlindemann@noknok.com>
Received on Friday, 22 July 2016 06:20:11 UTC
I was looking through the attestation formats and it seems to me that this area could use some cleanup. All the formats are defined in very different ways and it's not clear that all of them are equally capable. For instance none of the formats other than packed are able to deal with extensions at all. Also, Android attestation is quite weird in that it extends the ClientData with fields that really should be authenticator-attested. I would like to revise this section significantly, and organize it as follows: - In the core spec, define the rawData format for packed attestation as the thing that is always generated by the authenticator. This could even be extended by the above (Android) fields if necessary. - Define an attestation format as consisting of the following things: o A method to take in a rawData in the above format and produce a signature o A method to verify the above signature - Rewrite the attestation formats section in the above format This would also allow for adding new attestation formats in the future by taking a registry approach, as Giri had suggested. What do others think? If we have some momentum around this idea I can do up a PR by early next week. -- -Vijay
Received on Friday, 22 July 2016 06:20:11 UTC