- From: Adam Langley via GitHub <sysbot+gh@w3.org>
- Date: Thu, 19 May 2022 22:58:02 +0000
- To: public-webauthn@w3.org
The following commits were just pushed by agl to https://github.com/w3c/webauthn: * The DPK is stored on the authenticator. The text said that the DPK was stored on the client device, but the client device is the device that the browser is running on, not the authenticator. That _might_ be the same device, but it's unclear. Clarify that the DPKs come from the authenticator. by Adam Langley https://github.com/w3c/webauthn/commit/d92bad2a3f5925b4dd4d0cb39544393e7f3a491b * Provide attestation controls. Mirror the attestation controls for user credentials into the DPK extension. by Adam Langley https://github.com/w3c/webauthn/commit/6d45aba6a5088cac743f85c33fec48dec60bd010 * Pull out DPK attestation rules and add signature prefix. This change adds a section about calculating DPK attestations and references that each time rather than duplicating the rules. It also adds a prefix to the signed messages to ensure that DPK and user credential attestations clearly cannot be confused. by Adam Langley https://github.com/w3c/webauthn/commit/eb598ff6a4d08ce35262ee2de3537a8989809cf9 * Reflow CDDL to avoid a scroll bar. by Adam Langley https://github.com/w3c/webauthn/commit/b7289e1686669ae00f65653ef608c594a504513f * Have the DPK sign over everything. Signing over too little is a common problem in protocols and the DPK wasn't signing over very much. The problem is that the signature was within the extension itself and thus couldn't easily cover the authenticator data. This change puts the DPK signature next to the normal signature in an assertion, transforming that field into a CBOR array. That's fine for assertions, but registration doesn't have such a signature output. Thus this change drops exercising the DPK during registration: Firstly, this is in line with the user credential which doesn't sign during registration unless "self" attestation is used. (And "self" attestation can be use with the DPK if desired.) Secondly, adding an extra signature output for registration is awkward. Putting it in the user credential attestation statement is awkward and conflicts when user-agents replace attestation statements. Adding a new CTAP field is possible but seems excessive since, as noted, there has never been a signature by the user credential. by Adam Langley https://github.com/w3c/webauthn/commit/dcfb39270f989b30dce6772d03e58c4549902afd * Note that CTAP2 CBOR is required in DPK. by Adam Langley https://github.com/w3c/webauthn/commit/cbb6b5d050a0c7647521da9ae9c6858c878d0f17 -- Sent via github-notify-ml as configured in https://github.com/w3c/github-notify-ml-config
Received on Thursday, 19 May 2022 22:58:03 UTC