[webauthn] Assertion signature verification procedure defined in Section 7.2 doesn't fit for the signature generated by FIDO-U2F token. from Yoshikazu Nojima via GitHub on 2018-03-18 (public-webauthn@w3.org from March 2018)

From: Yoshikazu Nojima via GitHub <sysbot+gh@w3.org>
Date: Sun, 18 Mar 2018 14:37:20 +0000
To: public-webauthn@w3.org
Message-ID: <issues.opened-306245664-1521383839-sysbot+gh@w3.org>

ynojima has just created a new issue for https://github.com/w3c/webauthn:

== Assertion signature verification procedure defined in Section 7.2 doesn't fit for the signature generated by FIDO-U2F token. ==
WebAuthn signature generation procedure is not equal to that of FIDO-U2F. [1]
Assertion signature verification procedure defined in Section 7.2 doesn't fit for the signature generated by FIDO-U2F token.
The spec should denote that the assertion generated by FIDO-U2F token should be verified in the manner defined in the FIDO-U2F spec.

[1]
The web authentication spec defines that the signature is generated
over the concatenation of the authenticator data and the hash of the
serialized client data
(See https://w3c.github.io/webauthn/#op-get-assertion), but
FIDO U2F defines that the signature is generated
over the following source:
- The application parameter [32 bytes] from the authentication request message.
- The user presence byte [1 byte].
- The counter [4 bytes].
- The challenge parameter [32 bytes] from the authentication request message.
(See https://fidoalliance.org/specs/fido-u2f-v1.1-id-20160915/fido-u2f-raw-message-formats-v1.1-id-20160915.html#authentication-response-message-success)


Please view or discuss this issue at https://github.com/w3c/webauthn/issues/845 using your GitHub account

Received on Sunday, 18 March 2018 14:37:22 UTC