W3C home > Mailing lists > Public > public-webauthn@w3.org > May 2016

Re: [webauthn] Spec should not mandate behavior of server

From: Adam Powers via GitHub <sysbot+gh@w3.org>
Date: Tue, 10 May 2016 15:09:01 +0000
To: public-webauthn@w3.org
Message-ID: <issue_comment.created-218187905-1462892940-sysbot+gh@w3.org>
For relevant points, see:
* [Section 4.3.1](http://w3c.github.io/webauthn/#attestation-models): 
Compliant servers MUST support all attestation models. Authenticators 
can choose what attestation model to implement.
* [Section 
4.3.2.1.2](http://w3c.github.io/webauthn/#packed-attestation-signature):
 The signature is computed over the rawData field. The following 
algorithms must be implemented by servers:
* [Section 6.5](http://w3c.github.io/webauthn/#uvi-extension): Servers
 supporting UVI extensions MUST support a length of up to 32 bytes for
 the UVI value.
* [Section 
4.3.3](http://w3c.github.io/webauthn/#verifying-an-attestation-statement):
 Upon receiving an attestation statement, the WebAuthn Relying Party 
shall:

Like attestation statements and signature formats, this sort of 
information is useful to those that are trying to use the APIs. 
Suggesting broad adoption of some set of crypto / attestation formats 
is important to make sure implementations are broadly interoperable. 
Also, Section 4.3.3 is generally important to make sure that a server 
is doing its appropriate security diligence.

-- 
GitHub Notification of comment by apowers313
Please view or discuss this issue at 
https://github.com/w3c/webauthn/issues/88#issuecomment-218187905 using
 your GitHub account
Received on Tuesday, 10 May 2016 15:09:03 UTC

This archive was generated by hypermail 2.4.0 : Tuesday, 5 July 2022 07:26:20 UTC