Re: [webauthn] Provide the public key in `AuthenticatorAttestationResponse` (#1363) from Gonzalo Rodriguez via GitHub on 2020-01-29 (public-webauthn@w3.org from January 2020)

From: Gonzalo Rodriguez via GitHub <sysbot+gh@w3.org>
Date: Wed, 29 Jan 2020 13:34:37 +0000
To: public-webauthn@w3.org
Message-ID: <issue_comment.created-579757117-1580304876-sysbot+gh@w3.org>

> Thanks @grzuy, sorry for the guesswork - as you can probably tell, I'm not familiar with Ruby.

No worries :-)

> 
> I'm just trying to work out what the best export format(s) would be.
> 
> My understanding of the "COSE Key Format" is that it's still effectively binary, so I assume you would need something like base64 encoding to get it back to your server

Yes.

For anyone using `webauthn-ruby` in the RP server, we recommend [`webauthn-json`](https://github.com/github/webauthn-json/) for corresponding RP client code so that you get `base64url` data instead of `ArrayBuffer`'s out of the WebAuthn API.

>, where it will be stored, and later used for verification (would that need a server side CBOR decoder as well?).

Yes.

`webauthn-ruby` uses [`cose-ruby`](https://github.com/cedarcode/cose-ruby) for credential public key deserialization/decoding, which partially implements [RFC 8152](https://tools.ietf.org/html/rfc8152) and uses [`cbor-ruby`](https://github.com/cabo/cbor-ruby) behind the scenes.

So, in summary:

webauthn-json ==> webauthn-ruby ==> cose-ruby ==> cbor-ruby

> 
> So I'm wondering, do you think the "COSE Key Format" is the best approach for all Ruby projects? or are there better formats?

With `cose-ruby` out there, it's as easy as doing:

```ruby
credential_public_key = COSE::Key.deserialize(credential_public_key_cbor)
```

I hope eventually there will be a COSE library (at least having key deserialization) for every "somewhat popular" programming language. I see just a few in https://github.com/topics/cose, as of today.

> 
> Ideally it would allow the transfer (browser to server), storage, and signature verification steps to be done using as few steps/dependencies as possible.
> 
> In the PHP world, I can pass the PEM encoded value directly to the server via a POST request, store it in the database, and pass it directly to OpenSSL with no extra dependencies (I'm still not sure if that's safe to do, but I will be checking that soon).



-- 
GitHub Notification of comment by grzuy
Please view or discuss this issue at https://github.com/w3c/webauthn/issues/1363#issuecomment-579757117 using your GitHub account

Received on Wednesday, 29 January 2020 13:34:39 UTC