[webauthn] How does signing the credential public key with the attestation private key prove to the RP that the user owns the credential private key? (#1679)

boogerlad has just created a new issue for https://github.com/w3c/webauthn:

== How does signing the credential public key with the attestation private key prove to the RP that the user owns the credential private key? ==
https://www.w3.org/TR/webauthn/#attestation-certificate says

> At registration time, the authenticator uses the attestation private key to sign the Relying Party-specific credential public key (and additional data) that it generates and returns via the authenticatorMakeCredential operation. Relying Parties use the attestation public key conveyed in the attestation certificate to verify the attestation signature

but in self attestation

> the Authenticator does not have any specific attestation key pair. Instead it uses the credential private key to create the attestation signature

To me, self attestation directly proves to the RP that the user has the credential private key since the credential public key is used to verify the attestation signature.

If webauthn was used as a usernameless registration / login, with self attestation, I would feel confident that after registering, they can also be signed in immediately without any further action. With other kinds of attestation (basic, none, etc), I feel that after registering, I would need to go through the login flow again to get proof that the user has the private key. Am I misunderstanding?

Please view or discuss this issue at https://github.com/w3c/webauthn/issues/1679 using your GitHub account


-- 
Sent via github-notify-ml as configured in https://github.com/w3c/github-notify-ml-config

Received on Thursday, 28 October 2021 16:03:22 UTC