[webauthn] #registering-a-new-credential step 10 breakage

equalsJeffH has just created a new issue for https://github.com/w3c/webauthn:

== #registering-a-new-credential step 10 breakage ==
[#registering-a-new-credential](https://w3c.github.io/webauthn/#registering-a-new-credential) step 10 is presently:
```
10. Verify that |attStmt| is a correct, validly-signed attestation statement, 
using the attestation statement format |fmt|'s
verification procedure given [=authenticator data=] |authData| 
and the [=hash of the serialized client data=] computed in step 6.
```
Issues with step 10:
1. the first is that |attStmt| is not what is signed over.  Rather, [[=authenticator data for the attestation=]](https://w3c.github.io/webauthn/#authenticator-data-for-the-attestation) and [[=hash of the serialized client data=]](https://w3c.github.io/webauthn/#collectedclientdata-hash-of-the-serialized-client-data) are what is signed over.  |attStmt| simply conveys the |sig| value.  E.g., see the Signing Procedure in [#packed-attestation](https://w3c.github.io/webauthn/#packed-attestation). 

2. it does not clearly/properly reference the attestation stmt format sections, nor the attstn stmt format registry, where the signature verification procedures are defined.

suggest for step 10:
```
10. Verify that |attStmt| is a correct [=attestation statement=], conveying 
a valid [=attestation signature=], by 
using the [=attestation statement format=] |fmt|'s
[=attestation statement format=], given [=authenticator data=] |authData| 
and the [=hash of the serialized client data=] computed in step 6.
Each [=attestation statement format=]'s verification procedure is given by
the format's specification. See [[#defined-attestation-formats]] for the initially-
defined formats, and [[!WebAuthn-Registries]] for the up-to-date list.
```


Please view or discuss this issue at https://github.com/w3c/webauthn/issues/561 using your GitHub account

Received on Monday, 11 September 2017 21:51:49 UTC