W3C home > Mailing lists > Public > public-webauthn@w3.org > February 2021

Re: [webauthn] Move step 16 of Registration to between 21 and 22 (#1555)

From: Firstyear via GitHub <sysbot+gh@w3.org>
Date: Mon, 08 Feb 2021 03:23:27 +0000
To: public-webauthn@w3.org
Message-ID: <issue_comment.created-774839721-1612754606-sysbot+gh@w3.org>
> hm... Though, step 12 is:
> 
> > 1. Perform CBOR decoding on the attestationObject field of the AuthenticatorAttestationResponse structure to obtain the attestation statement format fmt, the authenticator data authData, and the attestation statement attStmt.
> 
> If we want/need to be pedantically clear, perhaps we ought to add at the end of the above something like ", from which the [=credential public key=] is obtained."
> 
> ...?

Perhaps this is the issue. In my implementation, we do not extract the credential public key until the verification of the attStmt is completed. However, I believe this is the correct order of operations because you should validate the attestation before trusting the content of the credential public key contained within that attestation. 

This is why I suggest that the step be moved since I think that this progression seems more robust as the credential public key being contained within the attestation, does "hint" that we should validate that attestation *first* before we trust it's internals. 

-- 
GitHub Notification of comment by Firstyear
Please view or discuss this issue at https://github.com/w3c/webauthn/issues/1555#issuecomment-774839721 using your GitHub account


-- 
Sent via github-notify-ml as configured in https://github.com/w3c/github-notify-ml-config
Received on Monday, 8 February 2021 03:23:28 UTC

This archive was generated by hypermail 2.4.0 : Tuesday, 5 July 2022 07:26:42 UTC