W3C home > Mailing lists > Public > public-webauthn@w3.org > June 2022

[webauthn] Closed Pull Request: Introduce unsigned extension outputs in DPK PR

From: Arnar Birgisson via GitHub <sysbot+gh@w3.org>
Date: Wed, 22 Jun 2022 18:56:12 +0000
To: public-webauthn@w3.org
Message-ID: <pull_request.closed-975636321-1655924170-sysbot+gh@w3.org>
arnar has just closed arnar's pull request 1753 for https://github.com/w3c/webauthn:

== Introduce unsigned extension outputs in DPK PR ==
- device-bound Public Key pair extension
- further hacking...
- nearly complete tho likely needs to be re-worked to include attestation of dbPK
- add 'device-bound key'
- in-progress updates...
- further in-progress updates...
- further in-progress updates...
- devicePublicKey extension section functionally complete
- further edits...
- cleanup trailing whitespace...
- Device-bound public key ProVerif model
- who-signs-what musings...
- editorial polishing
- editorial polishing
- major reorg & clarifications
- further reorg & polish
- proverif model cleanup
- remove unused 'cert'
- revise/correct objects hierarchy
- clarifications
- clarifications
- clarifications
- switch model starting-point to webauthn-basic.pv
- clarifications
- clarifications to both DPK stuff and PV model
- revise model significantly
- further clarifications and musings
- editorial
- revised dpk syntax per agl review
- further refined dpk syntax per feedback
- select the more simple AttObjForDevicePublicKey
- begin reworking devicePubKey extension
- editorial
- device-bound-key-pair.pv -> device-bound-key-pair.txt
- add separate webauthn.pv file
- editorial
- fix attSecretKey in pv model
- add README.pv.md file
- editorial cleanups
- processUser -> processClientAndAuthnr
- define formal RegRequestMsg
- editorial
- attPublicKey is public
- WIP: refine attestation object construction
- WIP: attObject parsing
- WIP: add Extensions.
- editorial
- COMPLETED: refine attestation object construction
- refine events
- editorial
- editorial
- more meaningful query wrt response msg.
- add: set traceDisplay long
- fix var rebindings, trim queries
- update README.pv.md
- edit README.pv.md
- rename server name, plus other clieanups
- edit README.pv.md
- remove pv files from this branch
- update Device-bound public key extension
- work in progress
- finish Notes -- nominally complete for Draft PR
- untraced device-bound-key-pair.txt
- context is now scope
- do binary equality checks
- Apply suggestions from emlun's code review, thanks!
- fixes inspired by emlun's review
- incorp pascoej's correction, thx!
- fix bug emlun caught (thx) & apply polish
- Apply emlun's suggestions, thx!
- polish emlun's suggestion to not be a Note
- polish Authenticator extension processing
- authnr extension rather than client extension
- minor editorial fixes
- revise intro and define most of verification procedure
- finish roughing-out verification procedures
- remove extraneous Note on permissions policy that crept in somehow
- incorp emlun's suggestion on hardware-bound device key pair definition
- add Notes to RP verification steps linking to DPK extension verification procedures
- do not use 'synced' user cred term per TimC
- update 'Relying Party Usage' section and note current issues
- clarification
- wordsmithing, thx emlun!
- incop & massage Emlun's suggestion, thx!
- rough WIP to fix issue #1701 side-channel attack
- further WIP re fixing #1701 authnr nonce, & noting #1711
- attempt at polishing various portions of devicePubKey
- The DPK is stored on the authenticator.
- Provide attestation controls.
- Pull out DPK attestation rules and add signature prefix.
- Reflow CDDL to avoid a scroll bar.
- Have the DPK sign over everything.
- Note that CTAP2 CBOR is required in DPK.
- Resolve comment by jovasco
- Link definitions from PR 1695.
- Make the DPK signature a different output field.
- Update attestation and add it for assertions
- Introduce unsigned extension outputs and use it to return the dpk signature.

    This comment and the below content is programmatically generated.
    You may add a comma-separated list of anchors you'd like a
    direct link to below (e.g. #idl-serializers, #idl-sequence):

    Don't remove this comment or modify anything below this line.
    If you don't want a preview generated for this pull request,
    just replace the whole of this comment's content by "no preview"
    and remove what's below.
<a href="https://pr-preview.s3.amazonaws.com/arnar/webauthn/pull/1753.html" title="Last updated on Jun 22, 2022, 6:55 PM UTC (27d0895)">Preview</a> | <a href="https://pr-preview.s3.amazonaws.com/w3c/webauthn/1753/9622388...arnar:27d0895.html" title="Last updated on Jun 22, 2022, 6:55 PM UTC (27d0895)">Diff</a>

See https://github.com/w3c/webauthn/pull/1753

Sent via github-notify-ml as configured in https://github.com/w3c/github-notify-ml-config
Received on Wednesday, 22 June 2022 18:56:14 UTC

This archive was generated by hypermail 2.4.0 : Tuesday, 5 July 2022 07:26:46 UTC