W3C home > Mailing lists > Public > public-webauthn@w3.org > September 2017

Re: [webauthn] #registering-a-new-credential step 10 breakage

From: Emil Lundberg via GitHub <sysbot+gh@w3.org>
Date: Fri, 15 Sep 2017 08:49:55 +0000
To: public-webauthn@w3.org
Message-ID: <issue_comment.created-329721836-1505465385-sysbot+gh@w3.org>
Personal anecdote: I as an implementer personally had no issue with the present formulation. The fact that `attStmt` is not the bytes signed over was not a cause of confusion for me as I found it clear that the `attStmt` is a polymorphic container for the signature.

I agree that a link to the definition of the [attestation statement][attStmt] or some such could be useful, though.

>the #verification-procedures may also need the RP's expected RP ID value passed-in.

The correctness of the RP ID is already verified in step 8 of [§6.1][reg] and [§6.2][auth], so the RP ID shouldn't be needed again in the signature verification step (other than the hash in the authenticator data).

[reg]: https://www.w3.org/TR/webauthn/#registering-a-new-credential
[auth]: https://www.w3.org/TR/webauthn/#verifying-assertion
[attStmt]: https://www.w3.org/TR/webauthn/#attestation-statement

GitHub Notification of comment by emlun
Please view or discuss this issue at https://github.com/w3c/webauthn/issues/561#issuecomment-329721836 using your GitHub account
Received on Friday, 15 September 2017 08:49:47 UTC

This archive was generated by hypermail 2.4.0 : Tuesday, 5 July 2022 07:26:27 UTC