Merge pull request #1950 from w3c/tc-att-compound

Add `compound` attestation format
w3c · Oct 6, 2023 · d9bdee4 · d9bdee4
2 parents b59b425 + e0a4f31
commit d9bdee4
Showing 1 changed file with 39 additions and 0 deletions.
diff --git a/index.bs b/index.bs
@@ -6322,6 +6322,45 @@ This attestation statement format is exclusively used by Apple for certain types
     5. Verify that the [=credential public key=] equals the Subject Public Key of |credCert|.
     6. If successful, return implementation-specific values representing attestation type [=Anonymization CA=] and attestation trust path |x5c|.
 
+## Compound Attestation Statement Format ## {#sctn-compound-attestation}
+
+The "compound" attestation statement format is used to pass multiple, self-contained attestation statements in a single ceremony.
+
+
+: Attestation statement format identifier
+:: compound
+
+: Attestation types supported
+:: Any. See [[#sctn-attestation-types]].
+
+: Syntax
+:: The syntax of a compound attestation statement is defined as follows:
+
+    ```
+    $$attStmtType //= (
+                          fmt: "compound",
+                          attStmt: [2* nonCompoundAttStmt]
+                      )
+
+    nonCompoundAttStmt = { $$attStmtType } .within { fmt: text .ne "compound" }
+    ```
+
+: Signing procedure
+:: Not applicable
+
+: Verification procedure
+:: Given the [=verification procedure inputs=] |attStmt|, |authenticatorData| and |clientDataHash|, the [=verification procedure=] is
+    as follows:
+    1. [=list/For each=] |subStmt| of |attStmt|, evaluate the [=verification procedure=]
+        corresponding to the [=attestation statement format identifier=] <code>|subStmt|.fmt</code>
+        with [=verification procedure inputs=] |subStmt|, |authenticatorData| and |clientDataHash|.
+
+        If validation fails for one or more |subStmt|, decide the appropriate result based on [=[RP]=] policy.
+
+    2. If sufficiently many (as determined by [=[RP]=] policy) [=list/items=] of |attStmt| verify successfully,
+        return implementation-specific values representing any combination of outputs from successful [=verification procedures=].
+
+
 # <dfn>WebAuthn Extensions</dfn> # {#sctn-extensions}
 
 The mechanism for generating [=public key credentials=], as well as requesting and generating Authentication assertions, as