Re: [webauthn] Provide the public key in `AuthenticatorAttestationResponse` (#1363) from Emil Lundberg via GitHub on 2020-01-23 (public-webauthn@w3.org from January 2020)

From: Emil Lundberg via GitHub <sysbot+gh@w3.org>
Date: Thu, 23 Jan 2020 13:30:15 +0000
To: public-webauthn@w3.org
Message-ID: <issue_comment.created-577681873-1579786213-sysbot+gh@w3.org>

In the interest of having something concrete to work with, I'll propose updating the `AuthenticatorAttestationResponse` API to the following:

```
[SecureContext, Exposed=Window]
interface AuthenticatorAttestationResponse : AuthenticatorResponse {
    [SameObject] readonly attribute ArrayBuffer      attestationObject;
    sequence<DOMString>                              getTransports();

    [SameObject] readonly attribute ArrayBuffer      rpIdHash;
    AuthenticatorDataFlags                           getFlags();
    readonly attribute unsigned long                 signCount;
    [SameObject] readonly attribute ArrayBuffer      aaguid;
    dictionary                                       getPublicKeyJwk();
    [SameObject] readonly attribute ArrayBuffer?     extensions;
};

dictionary AuthenticatorDataFlags {
    readonly attribute boolean UP;
    readonly attribute boolean UV;
};
```

where

- `attestationObject` and `getTransports` are unchanged.
- `rpIdHash` is the [RP ID hash][rpidhash] in the authenticator data.
- `getFlags()` returns an `AuthenticatorDataFlags` object as described below.
- `signCount` is the [signature counter][signcount] in the authenticator data.
- `aaguid` is the [AAGUID][aaguid] in the attested credential data.
- `getPublicKeyJwk()` returns the [credential public key][pubkey] encoded as a JWK [[RFC 7518][rfc7518]] formatted object.
- `extensions` is `null` if the `ED` flag is 0, and the raw [extensions part of the authenticator data][extensions] if the `ED` flag is 1.
- `AuthenticatorDataFlags` is a new type:
  - `UP` is bit 0 (user present) of the [authenticator data flags][flags].
  - `UV` is bit 2 (user verified) of the [authenticator data flags][flags].
  The AT and ED flags are omitted since their purpose is for parsing the authenticator data.

Analogues for `AuthenticatorAssertionResponse` are deliberately omitted, because for assertions the values should not be trusted without verifying the signature. If you have to verify the pre-parsed values against the signed byte array anyway, then you're not really benefiting from the pre-parsed values.


[aaguid]: https://w3c.github.io/webauthn/#aaguid
[extensions]: https://w3c.github.io/webauthn/#authdataextensions
[flags]: https://w3c.github.io/webauthn/#flags
[pubkey]: https://w3c.github.io/webauthn/#credentialpublickey
[rfc7518]: https://tools.ietf.org/html/rfc7517
[rpidhash]: https://w3c.github.io/webauthn/#rpidhash
[signcount]: https://w3c.github.io/webauthn/#signcount


-- 
GitHub Notification of comment by emlun
Please view or discuss this issue at https://github.com/w3c/webauthn/issues/1363#issuecomment-577681873 using your GitHub account

Received on Thursday, 23 January 2020 13:30:20 UTC