- From: Adam Langley <noreply@github.com>
- Date: Thu, 19 May 2022 15:58:12 -0700
- To: public-webauthn@w3.org
Branch: refs/heads/jeffh-fix-1658-device-bound-key-extension
Home: https://github.com/w3c/webauthn
Commit: d92bad2a3f5925b4dd4d0cb39544393e7f3a491b
https://github.com/w3c/webauthn/commit/d92bad2a3f5925b4dd4d0cb39544393e7f3a491b
Author: Adam Langley <agl@imperialviolet.org>
Date: 2022-05-19 (Thu, 19 May 2022)
Changed paths:
M index.bs
Log Message:
-----------
The DPK is stored on the authenticator.
The text said that the DPK was stored on the client device, but the
client device is the device that the browser is running on, not the
authenticator. That _might_ be the same device, but it's unclear.
Clarify that the DPKs come from the authenticator.
Commit: 6d45aba6a5088cac743f85c33fec48dec60bd010
https://github.com/w3c/webauthn/commit/6d45aba6a5088cac743f85c33fec48dec60bd010
Author: Adam Langley <agl@imperialviolet.org>
Date: 2022-05-19 (Thu, 19 May 2022)
Changed paths:
M index.bs
Log Message:
-----------
Provide attestation controls.
Mirror the attestation controls for user credentials into the DPK
extension.
Commit: eb598ff6a4d08ce35262ee2de3537a8989809cf9
https://github.com/w3c/webauthn/commit/eb598ff6a4d08ce35262ee2de3537a8989809cf9
Author: Adam Langley <agl@imperialviolet.org>
Date: 2022-05-19 (Thu, 19 May 2022)
Changed paths:
M index.bs
Log Message:
-----------
Pull out DPK attestation rules and add signature prefix.
This change adds a section about calculating DPK attestations and
references that each time rather than duplicating the rules. It also
adds a prefix to the signed messages to ensure that DPK and user
credential attestations clearly cannot be confused.
Commit: b7289e1686669ae00f65653ef608c594a504513f
https://github.com/w3c/webauthn/commit/b7289e1686669ae00f65653ef608c594a504513f
Author: Adam Langley <agl@imperialviolet.org>
Date: 2022-05-19 (Thu, 19 May 2022)
Changed paths:
M index.bs
Log Message:
-----------
Reflow CDDL to avoid a scroll bar.
Commit: dcfb39270f989b30dce6772d03e58c4549902afd
https://github.com/w3c/webauthn/commit/dcfb39270f989b30dce6772d03e58c4549902afd
Author: Adam Langley <agl@imperialviolet.org>
Date: 2022-05-19 (Thu, 19 May 2022)
Changed paths:
M index.bs
Log Message:
-----------
Have the DPK sign over everything.
Signing over too little is a common problem in protocols and the DPK
wasn't signing over very much. The problem is that the signature was
within the extension itself and thus couldn't easily cover the
authenticator data.
This change puts the DPK signature next to the normal signature in an
assertion, transforming that field into a CBOR array. That's fine for
assertions, but registration doesn't have such a signature output. Thus
this change drops exercising the DPK during registration:
Firstly, this is in line with the user credential which doesn't sign
during registration unless "self" attestation is used. (And "self"
attestation can be use with the DPK if desired.)
Secondly, adding an extra signature output for registration is awkward.
Putting it in the user credential attestation statement is awkward and
conflicts when user-agents replace attestation statements. Adding a new
CTAP field is possible but seems excessive since, as noted, there has
never been a signature by the user credential.
Commit: cbb6b5d050a0c7647521da9ae9c6858c878d0f17
https://github.com/w3c/webauthn/commit/cbb6b5d050a0c7647521da9ae9c6858c878d0f17
Author: Adam Langley <agl@imperialviolet.org>
Date: 2022-05-19 (Thu, 19 May 2022)
Changed paths:
M index.bs
Log Message:
-----------
Note that CTAP2 CBOR is required in DPK.
Compare: https://github.com/w3c/webauthn/compare/b8d8567a5bf2...cbb6b5d050a0
Received on Thursday, 19 May 2022 22:58:24 UTC