revised dpk syntax per agl review

w3c · Jun 26, 2021 · 768d900 · 768d900
1 parent 6382444
commit 768d900
Showing 1 changed file with 35 additions and 0 deletions.
diff --git a/device-bound-key-pair.pv b/device-bound-key-pair.pv
@@ -184,6 +184,41 @@
 
 
 
+==== Proposed Syntax for devicePublicKey (dpk) (aka Secondary Key aka Device Key) Extension Output ====
+
+    $$extensionOutput //= (                       ; Expressed in CDDL
+        devicePublicKey: AttObjForDevicePublicKey,
+    )
+
+    AttObjForDevicePublicKey = { ; Note: This object conveys an attested device public key
+                                 ; and is analogous to `attObj`.
+
+        sig:                 bstr, ; result of sign((clientDataHash || userCredentialId), devicePrivateKey)
+                                 ; Note that this sig value is unique per-response because clientDataHash contains
+                                 ; the per-request challenge.
+
+        dpkAuthData: bstr, ; AuthDataForDevicePublicKeyAttestation goes here (see below)
+
+        $$attStmtType,  ; see <https://www.w3.org/TR/webauthn/#sctn-generating-an-attestation-object>.
+                            ;
+                            ; Attestation statement formats define the `fmt` and `attStmt` members of
+                            ; $$attStmtType.
+                            ;
+                            ; In summary, the `attStmt` (typically) contains:
+                            ;   (1) a SIGNATURE value calculated (using the attestation private key)
+                            ;       over the bytes of `authDataForDevicePublicKeyAttestation` and
+                            ;   (2) the attestation certificate or public key, and supporting certificates, if any.
+                            ;
+                            ; Note that there are details dependent upon the particular attestation statement
+                            ; format. See <https://www.w3.org/TR/webauthn/#sctn-defined-attestation-formats>.
+    }
+
+    AuthDataForDevicePublicKeyAttestation = {
+        aaguid: bstr        ; authenticator's AAGUID
+        dPK:    bstr        ; self-describing variable length, COSE_Key format (CBOR-encoded)
+    }
+
+
 ==== WebAuthn Signed Objects Hierarchy for Device-bound Key Pair aka Device-bound Public Key aka Secondary Key aka Device Key ====
 
     AuthData for Registration and Authentication Operations returning a devicePublicKey extension response (expressed in RFC5234 ABNF; https://www.w3.org/TR/webauthn/#sctn-authenticator-data ):