- From: Firstyear via GitHub <sysbot+gh@w3.org>
- Date: Mon, 08 Feb 2021 03:23:27 +0000
- To: public-webauthn@w3.org
> hm... Though, step 12 is: > > > 1. Perform CBOR decoding on the attestationObject field of the AuthenticatorAttestationResponse structure to obtain the attestation statement format fmt, the authenticator data authData, and the attestation statement attStmt. > > If we want/need to be pedantically clear, perhaps we ought to add at the end of the above something like ", from which the [=credential public key=] is obtained." > > ...? Perhaps this is the issue. In my implementation, we do not extract the credential public key until the verification of the attStmt is completed. However, I believe this is the correct order of operations because you should validate the attestation before trusting the content of the credential public key contained within that attestation. This is why I suggest that the step be moved since I think that this progression seems more robust as the credential public key being contained within the attestation, does "hint" that we should validate that attestation *first* before we trust it's internals. -- GitHub Notification of comment by Firstyear Please view or discuss this issue at https://github.com/w3c/webauthn/issues/1555#issuecomment-774839721 using your GitHub account -- Sent via github-notify-ml as configured in https://github.com/w3c/github-notify-ml-config
Received on Monday, 8 February 2021 03:23:28 UTC