- From: J.C. Jones <jc@mozilla.com>
- Date: Mon, 7 Aug 2017 08:44:40 -0700
- To: W3C WebAuthn WG <public-webauthn@w3.org>
- Message-ID: <CAObDDPCYdJ2oi9cj=yCpQZ047u8Q6LKjkMEtPopMTJE7a0vBcQ@mail.gmail.com>
Hey all, Firefox had a bug filed against our WebAuthn U2F Attestation mode over the weekend (Bug 1387820) <https://bugzilla.mozilla.org/show_bug.cgi?id=1387820> about the assertion signature. It notes two issues: 1. The Assertion.Response.Signature field actually contains the flags byte, the counter, and then the signature, and 2. The signature is ASN.1 encoded rather than per RFC7518 Regarding #1: Reading Section 7.6 of WD-05 <https://www.w3.org/TR/webauthn/#fido-u2f-attestation>, the signing procedure says we should generate a signature per the FIDO U2F formats and set that to *sig*. I've interpreted that to mean it should be the FIDO-format signature, as in the whole thing that comes back from the token - flags, counter, and all. Perhaps that's not what's intended? Regarding #2: Even when changing to COSE-derived algorithm names, I guess we'd run the confusion of what format this gets encoded in. I'm *guessing* we still want it to be ASN.1? I'm asking before opening issues because I could absolutely just be in the wrong here. Let me know what you think, and feel free to open issues if you agree we should make changes to the spec. Thanks, J.C.
Received on Monday, 7 August 2017 15:45:27 UTC