[webauthn] RP operations: some extension processing may assume that the encompassing signature is valid (#1711)

equalsJeffH has just created a new issue for https://github.com/w3c/webauthn:

== RP operations: some extension processing may assume that the encompassing signature is valid ==
In both of the [RP Operations subsections](https://www.w3.org/TR/webauthn/#sctn-rp-operations) (Registering a new cred, and verifying an authn assertion), the step for verifying/processing of extension outputs is placed _before_ the step for verifying the signature value over "authenticator data".

This is fine for idempotent extensions that simply marshall data for eventual return to the RP as a part of the operation's response.

However, extensions such as `devicePubKey` call for the RP to associate and store extension-generated data with the user's account. The RP probably should only do so if the overall credential creation or authentication results themselves validate correctly, which notably includes verifying the "encompassing" signature over "authenticator data".

Perhaps the step for verifying extension outputs should be moved to after the step(s) for verifying the "encompassing" signature over "authenticator data" in both of the registering a new cred, and verifying an authn assertion sections.



Please view or discuss this issue at https://github.com/w3c/webauthn/issues/1711 using your GitHub account


-- 
Sent via github-notify-ml as configured in https://github.com/w3c/github-notify-ml-config

Received on Wednesday, 23 March 2022 18:14:15 UTC