[webauthn] Requirements for attestation for DPK (#1799) from Keiko Itakura via GitHub on 2022-09-10 (public-webauthn@w3.org from September 2022)

From: Keiko Itakura via GitHub <sysbot+gh@w3.org>
Date: Sat, 10 Sep 2022 22:15:35 +0000
To: public-webauthn@w3.org
Message-ID: <issues.opened-1368742925-1662848134-sysbot+gh@w3.org>

keikoit has just created a new issue for https://github.com/w3c/webauthn:

== Requirements for attestation for DPK ==
Based on discussions with various RPs as well as system integrators for RPs, here are the requirements for attestation for DPK (device-bound public key).

     If DPK is supported, 
             1. an attestation statement shall be included, and
             2. the attestation shall be protected from replay attacks.
             
Replay attack protection may be achieved by such a way like including RP-challenge in DPK signature. Using clientDataHash will enable the protection with a minimum extension from the current draft specification.
Without replay attack protection, DPK is equivalent to a bearer token. RPs who need DPK cannot trust such DPK and DPK will not be so useful for RPs. 


Please view or discuss this issue at https://github.com/w3c/webauthn/issues/1799 using your GitHub account


-- 
Sent via github-notify-ml as configured in https://github.com/w3c/github-notify-ml-config

Received on Saturday, 10 September 2022 22:15:37 UTC