W3C home > Mailing lists > Public > public-webauthn@w3.org > September 2017

[webauthn] Description of attestation signature generation for ECDAA needs to be fixed.

From: Ki-Eun Shin via GitHub <sysbot+gh@w3.org>
Date: Wed, 27 Sep 2017 11:45:43 +0000
To: public-webauthn@w3.org
Message-ID: <issues.opened-260944096-1506512731-sysbot+gh@w3.org>
Kieun has just created a new issue for https://github.com/w3c/webauthn:

== Description of attestation signature generation for ECDAA needs to be fixed. ==
ยง7.2 Packed Attestation Statement Format describes syntax and semantics of Packed Attestation Statement. 
The signing and verification attestation procedures are explained. 
In case of using ECDAA for the attestation, the signing procedure is somewhat weird.
Followings are the depicted signing procedure for ECDAA.
> If ECDAA is in use, the authenticator produces sig by concatenating authenticatorData and clientDataHash, and signing the result using ECDAA-Sign (see section 3.5 of [FIDOEcdaaAlgorithm]) with a ECDAA-Issuer public key selected through an authenticator-specific mechanism (see [FIDOEcdaaAlgorithm]). It sets alg to the algorithm of the ECDAA-Issuer public key and ecdaaKeyId to the identifier of the ECDAA-Issuer public key (see above).

In order to generated ECDAA signature, a signer (authenticator) generates signature with ECDAA credential and private key in stead of using ECDAA-Issuer public key.
So signing procedure for ECDAA should be fixed.


Please view or discuss this issue at https://github.com/w3c/webauthn/issues/591 using your GitHub account
Received on Wednesday, 27 September 2017 11:45:35 UTC

This archive was generated by hypermail 2.4.0 : Tuesday, 5 July 2022 07:26:27 UTC