W3C home > Mailing lists > Public > public-webauthn@w3.org > July 2018

[webauthn] Public key rules for "packed" attestation type

From: Shane Weeden via GitHub <sysbot+gh@w3.org>
Date: Mon, 02 Jul 2018 23:18:31 +0000
To: public-webauthn@w3.org
Message-ID: <issues.opened-337694190-1530573506-sysbot+gh@w3.org>
sbweeden has just created a new issue for https://github.com/w3c/webauthn:

== Public key rules for "packed" attestation type ==
Consider section 8.2 https://www.w3.org/TR/webauthn/#packed-attestation 

When following the steps for the verification procedure it is not clear is what validation should be performed on the attested credential public key (in authData). With the fido-u2f attestation type this is explicit (strict rules on key type, algorithm and curve). With packed, I can't find any validation rules in the spec for the credential public key. 

Whilst section 6.3.5 (https://www.w3.org/TR/webauthn/#signature-attestation-types) does make mention of signature formats, there is no guidance on what is considered an acceptable key type, algorithm, etc for packed attestation credentials. Is this a gap, or simply up to the policy of the RP to decide?


Please view or discuss this issue at https://github.com/w3c/webauthn/issues/981 using your GitHub account
Received on Monday, 2 July 2018 23:18:36 UTC

This archive was generated by hypermail 2.4.0 : Friday, 17 January 2020 18:58:52 UTC