- From: Petr Dvořák via GitHub <sysbot+gh@w3.org>
- Date: Wed, 20 Mar 2024 11:11:31 +0000
- To: public-webauthn@w3.org
To continue our efforts to implement WYSIWYS in the connected authenticator: We found that besides not having `txAuthSimple`, even `hmac-secret` is not implemented as expected. We were a bit desperate, as we really needed to get the data to the connected authenticator device so that the user could confirm it... and we managed to hack it. By only supporting non-discoverable credentials, we get the list of `allowCredential` in WebAuthn, and - voila - this is the only data bundle we can pass in the authenticator and obtain it without modifications. So, we now append our challenge to the credential ID. Our authenticator can interpret this. Other authenticators don't need to care. Credential ID is not them. We then also compute a proprietary signature response (still conforming to ES256), binding the "plain challenge" we get in `allowCredential` list to the "hashed challenge" constructed from ClientDataJSON by the WebAuthn protocol... Cool, it works. It is ugly. But it works. We can do better... Introducing "WebAuthn2: This time, we will get it right.", starring Steven Segal. The signable challenge is in Verifiable Credentials format so that it is signed by the relying party, and the browser (or connected authenticator) can display it, as it is a standard format. Then, signing the challenge in the authenticator (platform or cross-platform) results in a Verifiable Presentation. Is there any effort alongside this outline? -- GitHub Notification of comment by petrdvorak Please view or discuss this issue at https://github.com/w3c/webauthn/pull/2020#issuecomment-2009322993 using your GitHub account -- Sent via github-notify-ml as configured in https://github.com/w3c/github-notify-ml-config
Received on Wednesday, 20 March 2024 11:11:32 UTC