- From: Ackermann Yuriy via GitHub <sysbot+gh@w3.org>
- Date: Tue, 05 Mar 2024 22:22:26 +0000
- To: public-webauthn@w3.org
@sbweeden Sorry just realised that I was mentioned here:
> The FIDO conformance test tool however contains a specific test case where these algorithm identifiers are set to different values, to ensure that RPs use the algorithm identifier from the attested name in certInfo. If an RP strictly follows the process as currently defined in the WebAuthn specification, then that test case will fail.
That came from real world issue, where during the testing we had examples of TPM attestation where nameAlg did not match the other nameAlg.
Here is the direct comment from that time:
```
/*
So the name is concatenation of nameAlg[2byte] and hash structure[n-bytes].
The confusion comes from the fact TPMS_CERTIFY_INFO contains name field that contains name of the TPMT_PUBLIC. But in the same time TPMT_PUBLIC contain nameAlg field that contains algorithm identifier for calculating authPolicy. There two both use nameAlg, but they can be different.
For example:
TPMT_PUBLIC.nameAlg = SHA-1;
TPMT_PUBLIC.authPolicy = hashTPMT_PUBLIC.nameAlg
nameAlg = SHA-256
TPMS_CERTIFY_INFO.name = nameAlg || hashnameAlg
*/
```
--
GitHub Notification of comment by herrjemand
Please view or discuss this issue at https://github.com/w3c/webauthn/issues/1925#issuecomment-1979736859 using your GitHub account
--
Sent via github-notify-ml as configured in https://github.com/w3c/github-notify-ml-config
Received on Tuesday, 5 March 2024 22:22:27 UTC