- From: Silvan Mosberger via GitHub <sysbot+gh@w3.org>
- Date: Thu, 17 Mar 2022 20:37:40 +0000
- To: public-webauthn@w3.org
> As a result, the RP should never "trust" that the options it sent to the browser were actually used in communications with the authenticator. Instead it should keep a "copy of its policy", which might be a local copy of the options it intended the client to use, and always verify the response from the authenticator against that. That makes a lot of sense, but the current specification already presumes that `options` were stored by the server, because it uses them for verification e.g. in https://w3c.github.io/webauthn/#sctn-registering-a-new-credential: > 8. Verify that the value of C.[`challenge`](https://w3c.github.io/webauthn/#dom-collectedclientdata-challenge) equals the base64url encoding of options.[`challenge`](https://w3c.github.io/webauthn/#dom-publickeycredentialcreationoptions-challenge). Or > 15. Verify that the "alg" parameter in the [credential public key](https://w3c.github.io/webauthn/#credentialpublickey) in authData matches the [alg](https://w3c.github.io/webauthn/#dom-publickeycredentialparameters-alg) attribute of one of the [items](https://infra.spec.whatwg.org/#list-item) in options.[pubKeyCredParams](https://w3c.github.io/webauthn/#dom-publickeycredentialcreationoptions-pubkeycredparams). If these `options` really can't be trusted, then all the steps in [WebAuthn Relying Party Operations](https://w3c.github.io/webauthn/#sctn-rp-operations) making use of `options` for verification should be rewritten to not use it, and instead use the same language as it already does for user verification. On the other hand, if we can assume that the `options` referenced in the specification can be trusted (maybe by pointing out that it should be temporarily stored by the server for later verification, but I think this is already clear when wanting to implement the spec), then I think the current wording of these steps makes sense, but then I also believe the user verification step should be rewritten to reference `options`: > 14. If options.[authenticatorSelection](https://w3c.github.io/webauthn/#dom-publickeycredentialcreationoptions-authenticatorselection).[userVerification](https://w3c.github.io/webauthn/#dom-authenticatorselectioncriteria-userverification) is set to [required](https://w3c.github.io/webauthn/#dom-userverificationrequirement-required), verify that the [User Verified](https://w3c.github.io/webauthn/#concept-user-verified) bit of the [flags](https://w3c.github.io/webauthn/#flags) in authData is set. -- GitHub Notification of comment by Infinisil Please view or discuss this issue at https://github.com/w3c/webauthn/pull/1704#issuecomment-1071407280 using your GitHub account -- Sent via github-notify-ml as configured in https://github.com/w3c/github-notify-ml-config
Received on Thursday, 17 March 2022 20:37:42 UTC