[webauthn] Compound attestation statement format is incompatible with attStmtTemplate (#2210) from Emil Lundberg via GitHub on 2024-11-20 (public-webauthn@w3.org from November 2024)

From: Emil Lundberg via GitHub <sysbot+gh@w3.org>
Date: Wed, 20 Nov 2024 20:45:47 +0000
To: public-webauthn@w3.org
Message-ID: <issues.opened-2677153531-1732135544-sysbot+gh@w3.org>

emlun has just created a new issue for https://github.com/w3c/webauthn:

== Compound attestation statement format is incompatible with attStmtTemplate ==
[6.5.4. Generating an Attestation Object](https://w3c.github.io/webauthn/#sctn-generating-an-attestation-object) defines a CDDL template for attestation statement formats:

```
attObj = {
            authData: bytes,
            $$attStmtType
         }

attStmtTemplate = (
                      fmt: text,
                      attStmt: { * tstr => any } ; Map is filled in by each concrete attStmtType
                  )

; Every attestation statement format must have the above fields
attStmtTemplate .within $$attStmtType
```

Note that the `attStmt` member is defined as a CBOR map.

[§8.9. Compound Attestation Statement Format](https://w3c.github.io/webauthn/#sctn-compound-attestation) defines a choice for the `$$attStmtType` group socket:

```
$$attStmtType //= (
                      fmt: "compound",
                      attStmt: [2* nonCompoundAttStmt]
                  )

nonCompoundAttStmt = { $$attStmtType } .within { fmt: text .ne "compound" }
```

Note that the `attStmt` member here is a CBOR array.

I also don't think the expression `attStmtTemplate .within $$attStmtType` successfully encodes the intent `Every attestation statement format must have the above fields`, for two reasons: it does not define a CDDL _rule_ since it contains no `=` sign, and even if it did, the `.within` control operator would apply only to the new type defined by that rule, but not to the `attObj` type.

On the 2024-11-20 WG call it was said that there are implementations of compound attestation shipping, so the preferred resolution to this is to relax the template to allow array-based attestation statements.


## Proposed Change

1. Inline the `.within` control operator into the `attObj` definition:

    ```
    attObj = {
        authData: bytes,
        $$attStmtType
    } .within attStmtTemplate  ; Every attestation statement format must have the fields below
    ```

2. Add a choice to `attStmtTemplate` to allow an array for `attStmt`:

    ```
    attStmtTemplate = {
        authData: bytes,
        fmt: text,
        attStmt: (
            { * tstr => any } ; Map is filled in by each concrete attStmtType
            //
            [ * any ]         ; attStmt may also be an array
        ),
    }
    ```

Please view or discuss this issue at https://github.com/w3c/webauthn/issues/2210 using your GitHub account


-- 
Sent via github-notify-ml as configured in https://github.com/w3c/github-notify-ml-config

Received on Wednesday, 20 November 2024 20:45:47 UTC