- From: Arnar Birgisson via GitHub <sysbot+gh@w3.org>
- Date: Fri, 11 May 2018 00:43:58 +0000
- To: public-webauthn@w3.org
1. Agree with Emil that it doesn't require the challenge generation to happen on the server. In the language of the spec, "server" is just an example of "an environment they trust". Obviously the RP needs to trust the browser and its own origin context as well, so it can certainly generate a challenge there. 2. However, you can't use WebAuthn to sign arbitrary data. I.e. when you say you want to use it to sign a JWT, I'm not sure it does what you want. You can use or include a JWT in the challenge, but that's not the exact byte buffer that gets signed, it's merely included in client data, which is hashed and that hash is part of what the authenticator actually signs. You *can* extract your trust guarantees from that, as long as you have the public key on the verifier, but you'll need more than just the JWT - you'll need both the clientData and authenticatorData to verify that the challenge actually matched the JWT. Of course you can roll these into some base64 string, and define it as a custom signature algorithm that you use in your JWTs, but that sounds cumbersome. -- GitHub Notification of comment by arnar Please view or discuss this issue at https://github.com/w3c/webauthn/issues/902#issuecomment-388226516 using your GitHub account
Received on Friday, 11 May 2018 00:44:05 UTC