[webauthn] "credential ID" not signed over by authenticatorGetAssertion operation from =JeffH via GitHub on 2017-04-07 (public-webauthn@w3.org from April 2017)

From: =JeffH via GitHub <sysbot+gh@w3.org>
Date: Fri, 07 Apr 2017 17:41:42 +0000
To: public-webauthn@w3.org
Message-ID: <issues.opened-220281485-1491586901-sysbot+gh@w3.org>

equalsJeffH has just created a new issue for https://github.com/w3c/webauthn:

== "credential ID" not signed over by authenticatorGetAssertion operation ==
I note that in [authenticatorGetAssertion operation](https://w3c.github.io/webauthn/#op-get-assertion), the "credential ID" not signed over -- i.e., it is not included in `authenticator data` because no `attObj` is contained in the `authenticator data` returned by this operation.  As I (vaguely) recall, we discussed this long ago and determined that the worst downside of a buggy authenticator returning an incorrect credential ID is that the RP will not look up the correct cred public key with which to verify the returned signed `authenticator data` (aka assertion) and the overall ceremony would thus end in error. 

we should probably document this rationale and consequence somewhere in the spec. 

Please view or discuss this issue at https://github.com/w3c/webauthn/issues/394 using your GitHub account

Received on Friday, 7 April 2017 17:41:49 UTC