[webauthn] How can we trust authenticator data flags in fmt:none response from `.create()`? (#1698) from Matthew Miller via GitHub on 2022-02-10 (public-webauthn@w3.org from February 2022)

From: Matthew Miller via GitHub <sysbot+gh@w3.org>
Date: Thu, 10 Feb 2022 01:03:29 +0000
To: public-webauthn@w3.org
Message-ID: <issues.opened-1129277315-1644455007-sysbot+gh@w3.org>

MasterKale has just created a new issue for https://github.com/w3c/webauthn:

== How can we trust authenticator data flags in fmt:none response from `.create()`? ==
I was asked recently how we can trust the [`uv` flag](https://www.w3.org/TR/webauthn-2/#flags) in particular in [`authData`](https://www.w3.org/TR/webauthn-2/#sctn-authenticator-data) that's returned from a call to `.create()` **when a `"none"`-formatted attestation statement is returned.**

I went to refresh my memory by taking a look at the spec and realized that if an RP never requests direct attestation then there's nothing preventing anyone from messing with the flags because there's no signature over `authData`. Does it not make sense for an authenticator generating a response for `.create()` to at least provide a signature over `authData` and `clientDataJSON`, like we get back from `.get()`?

If there's no need for this, then can someone please help me explain to others why this isn't a problem if they want to ensure that user verification actually took place during registration?

Please view or discuss this issue at https://github.com/w3c/webauthn/issues/1698 using your GitHub account


-- 
Sent via github-notify-ml as configured in https://github.com/w3c/github-notify-ml-config

Received on Thursday, 10 February 2022 01:03:31 UTC