- From: Arnar Birgisson via GitHub <sysbot+gh@w3.org>
- Date: Wed, 22 Jun 2022 18:54:48 +0000
- To: public-webauthn@w3.org
arnar has just submitted a new pull request for https://github.com/w3c/webauthn: == Introduce unsigned extension outputs in DPK PR == - device-bound Public Key pair extension - further hacking... - nearly complete tho likely needs to be re-worked to include attestation of dbPK - add 'device-bound key' - in-progress updates... - further in-progress updates... - further in-progress updates... - devicePublicKey extension section functionally complete - further edits... - cleanup trailing whitespace... - Device-bound public key ProVerif model - who-signs-what musings... - editorial polishing - editorial polishing - major reorg & clarifications - further reorg & polish - proverif model cleanup - remove unused 'cert' - revise/correct objects hierarchy - clarifications - clarifications - clarifications - switch model starting-point to webauthn-basic.pv - clarifications - clarifications to both DPK stuff and PV model - revise model significantly - further clarifications and musings - editorial - revised dpk syntax per agl review - further refined dpk syntax per feedback - select the more simple AttObjForDevicePublicKey - begin reworking devicePubKey extension - editorial - device-bound-key-pair.pv -> device-bound-key-pair.txt - add separate webauthn.pv file - editorial - fix attSecretKey in pv model - add README.pv.md file - editorial cleanups - processUser -> processClientAndAuthnr - define formal RegRequestMsg - editorial - attPublicKey is public - WIP: refine attestation object construction - WIP: attObject parsing - WIP: add Extensions. - editorial - COMPLETED: refine attestation object construction - refine events - editorial - editorial - more meaningful query wrt response msg. - add: set traceDisplay long - fix var rebindings, trim queries - update README.pv.md - edit README.pv.md - rename server name, plus other clieanups - edit README.pv.md - remove pv files from this branch - update Device-bound public key extension - work in progress - finish Notes -- nominally complete for Draft PR - untraced device-bound-key-pair.txt - context is now scope - do binary equality checks - Apply suggestions from emlun's code review, thanks! - fixes inspired by emlun's review - incorp pascoej's correction, thx! - fix bug emlun caught (thx) & apply polish - Apply emlun's suggestions, thx! - polish emlun's suggestion to not be a Note - polish Authenticator extension processing - authnr extension rather than client extension - minor editorial fixes - revise intro and define most of verification procedure - finish roughing-out verification procedures - remove extraneous Note on permissions policy that crept in somehow - incorp emlun's suggestion on hardware-bound device key pair definition - add Notes to RP verification steps linking to DPK extension verification procedures - do not use 'synced' user cred term per TimC - update 'Relying Party Usage' section and note current issues - clarification - wordsmithing, thx emlun! - incop & massage Emlun's suggestion, thx! - rough WIP to fix issue #1701 side-channel attack - further WIP re fixing #1701 authnr nonce, & noting #1711 - attempt at polishing various portions of devicePubKey - The DPK is stored on the authenticator. - Provide attestation controls. - Pull out DPK attestation rules and add signature prefix. - Reflow CDDL to avoid a scroll bar. - Have the DPK sign over everything. - Note that CTAP2 CBOR is required in DPK. - Resolve comment by jovasco - Link definitions from PR 1695. - Make the DPK signature a different output field. - Update attestation and add it for assertions - Introduce unsigned extension outputs and use it to return the dpk signature. See https://github.com/w3c/webauthn/pull/1753 -- Sent via github-notify-ml as configured in https://github.com/w3c/github-notify-ml-config
Received on Wednesday, 22 June 2022 18:54:50 UTC