W3C home > Mailing lists > Public > public-webauthn@w3.org > March 2021

Re: [webauthn] Assertion signatures with JWS? (#1581)

From: Emil Lundberg via GitHub <sysbot+gh@w3.org>
Date: Wed, 10 Mar 2021 20:32:38 +0000
To: public-webauthn@w3.org
Message-ID: <issue_comment.created-796054738-1615408357-sysbot+gh@w3.org>
I'm not sure I understand your question, but it looks to me like rsolomakhin/secure-payment-confirmation#40 is planning to use the WebAuthn API unchanged, and only modify how the [`challenge`](https://w3c.github.io/webauthn/#dom-publickeycredentialrequestoptions-challenge) is constructed. I'm not sure where JWS comes into this.

Is your worry in rsolomakhin/secure-payment-confirmation#40 that the `challenge` may be derived from nondeterministically serialized JSON, so it would be difficult to reconstruct the exact signed data? If so, that should largely be solved by the fact that the [`clientDataJSON`](https://w3c.github.io/webauthn/#dom-authenticatorresponse-clientdatajson) field of the signed response contains the exact bytes that were signed. So a Relying Party can first verify that the signature is valid over the signed data `authenticatorData || clientDataJSON`, and then parse `clientDataJSON` and verify that the contents are correct.

GitHub Notification of comment by emlun
Please view or discuss this issue at https://github.com/w3c/webauthn/issues/1581#issuecomment-796054738 using your GitHub account

Sent via github-notify-ml as configured in https://github.com/w3c/github-notify-ml-config
Received on Wednesday, 10 March 2021 20:32:40 UTC

This archive was generated by hypermail 2.4.0 : Tuesday, 5 July 2022 07:26:43 UTC