W3C home > Mailing lists > Public > public-webauthn@w3.org > September 2017

[webauthn] #registering-a-new-credential step 10 breakage

From: =JeffH via GitHub <sysbot+gh@w3.org>
Date: Mon, 11 Sep 2017 21:51:44 +0000
To: public-webauthn@w3.org
Message-ID: <issues.opened-256853511-1505166695-sysbot+gh@w3.org>
equalsJeffH has just created a new issue for https://github.com/w3c/webauthn:

== #registering-a-new-credential step 10 breakage ==
[#registering-a-new-credential](https://w3c.github.io/webauthn/#registering-a-new-credential) step 10 is presently:
10. Verify that |attStmt| is a correct, validly-signed attestation statement, 
using the attestation statement format |fmt|'s
verification procedure given [=authenticator data=] |authData| 
and the [=hash of the serialized client data=] computed in step 6.
Issues with step 10:
1. the first is that |attStmt| is not what is signed over.  Rather, [[=authenticator data for the attestation=]](https://w3c.github.io/webauthn/#authenticator-data-for-the-attestation) and [[=hash of the serialized client data=]](https://w3c.github.io/webauthn/#collectedclientdata-hash-of-the-serialized-client-data) are what is signed over.  |attStmt| simply conveys the |sig| value.  E.g., see the Signing Procedure in [#packed-attestation](https://w3c.github.io/webauthn/#packed-attestation). 

2. it does not clearly/properly reference the attestation stmt format sections, nor the attstn stmt format registry, where the signature verification procedures are defined.

suggest for step 10:
10. Verify that |attStmt| is a correct [=attestation statement=], conveying 
a valid [=attestation signature=], by 
using the [=attestation statement format=] |fmt|'s
[=attestation statement format=], given [=authenticator data=] |authData| 
and the [=hash of the serialized client data=] computed in step 6.
Each [=attestation statement format=]'s verification procedure is given by
the format's specification. See [[#defined-attestation-formats]] for the initially-
defined formats, and [[!WebAuthn-Registries]] for the up-to-date list.

Please view or discuss this issue at https://github.com/w3c/webauthn/issues/561 using your GitHub account
Received on Monday, 11 September 2017 21:51:49 UTC

This archive was generated by hypermail 2.4.0 : Tuesday, 5 July 2022 07:26:27 UTC