W3C home > Mailing lists > Public > public-webauthn@w3.org > August 2017

Questions over Firefox's implementation

From: J.C. Jones <jc@mozilla.com>
Date: Mon, 7 Aug 2017 08:44:40 -0700
Message-ID: <CAObDDPCYdJ2oi9cj=yCpQZ047u8Q6LKjkMEtPopMTJE7a0vBcQ@mail.gmail.com>
To: W3C WebAuthn WG <public-webauthn@w3.org>
Hey all,

Firefox had a bug filed against our WebAuthn U2F Attestation mode over the
weekend (Bug 1387820) <https://bugzilla.mozilla.org/show_bug.cgi?id=1387820>
about the assertion signature. It notes two issues:

   1. The Assertion.Response.Signature field actually contains the flags
   byte, the counter, and then the signature, and
   2. The signature is ASN.1 encoded rather than per RFC7518

Regarding #1:

Reading Section 7.6 of WD-05
<https://www.w3.org/TR/webauthn/#fido-u2f-attestation>, the signing
procedure says we should generate a signature per the FIDO U2F formats and
set that to *sig*. I've interpreted that to mean it should be the
FIDO-format signature, as in the whole thing that comes back from the token
- flags, counter, and all. Perhaps that's not what's intended?

Regarding #2:

Even when changing to COSE-derived algorithm names, I guess we'd run the
confusion of what format this gets encoded in. I'm *guessing* we still want
it to be ASN.1?

I'm asking before opening issues because I could absolutely just be in the
wrong here. Let me know what you think, and feel free to open issues if you
agree we should make changes to the spec.

Received on Monday, 7 August 2017 15:45:27 UTC

This archive was generated by hypermail 2.4.0 : Friday, 17 January 2020 18:58:38 UTC