- From: Emil Lundberg via GitHub <sysbot+gh@w3.org>
- Date: Wed, 10 Mar 2021 20:32:38 +0000
- To: public-webauthn@w3.org
I'm not sure I understand your question, but it looks to me like rsolomakhin/secure-payment-confirmation#40 is planning to use the WebAuthn API unchanged, and only modify how the [`challenge`](https://w3c.github.io/webauthn/#dom-publickeycredentialrequestoptions-challenge) is constructed. I'm not sure where JWS comes into this. Is your worry in rsolomakhin/secure-payment-confirmation#40 that the `challenge` may be derived from nondeterministically serialized JSON, so it would be difficult to reconstruct the exact signed data? If so, that should largely be solved by the fact that the [`clientDataJSON`](https://w3c.github.io/webauthn/#dom-authenticatorresponse-clientdatajson) field of the signed response contains the exact bytes that were signed. So a Relying Party can first verify that the signature is valid over the signed data `authenticatorData || clientDataJSON`, and then parse `clientDataJSON` and verify that the contents are correct. -- GitHub Notification of comment by emlun Please view or discuss this issue at https://github.com/w3c/webauthn/issues/1581#issuecomment-796054738 using your GitHub account -- Sent via github-notify-ml as configured in https://github.com/w3c/github-notify-ml-config
Received on Wednesday, 10 March 2021 20:32:40 UTC