Merge pull request #850 from w3c/issue-845-u2f-signature

Add note about verifying U2F assertion signatures
w3c · May 2, 2018 · da1d21d · da1d21d
2 parents 848659e + f394000
commit da1d21d
Showing 1 changed file with 20 additions and 0 deletions.
diff --git a/index.bs b/index.bs
@@ -139,7 +139,9 @@ spec: FIDO-APPID; urlPrefix: https://fidoalliance.org/specs/fido-u2f-v1.2-ps-201
 
 spec: FIDO-U2F-Message-Formats; urlPrefix: https://fidoalliance.org/specs/fido-u2f-v1.1-id-20160915/fido-u2f-raw-message-formats-v1.1-id-20160915.html
     type: dfn
+        text: application parameter; url: authentication-request-message---u2f_authenticate
         text: Section 4.3; url: registration-response-message-success
+        text: Section 5.4; url: authentication-response-message-success
 
 
 </pre> <!-- class=anchors -->
@@ -2290,6 +2292,21 @@ Authenticators:
 - should ensure that the [=signature counter=] value does not 
     accidentally decrease  (e.g., due to hardware failures).
 
+
+### FIDO U2F signature format compatibility ### {#sctn-fido-u2f-sig-format-compat}
+
+The format for [=assertion signatures=], which sign over the concatenation of an [=authenticator data=] structure and the [=hash
+of the serialized client data=], are compatible with the FIDO U2F authentication signature format (see [=Section 5.4=] of
+[[FIDO-U2F-Message-Formats]]).
+
+This is because the first 37 bytes of the signed data in a FIDO U2F authentication response message constitute a valid
+[=authenticator data=] structure, and the remaining 32 bytes are the [=hash of the serialized client data=]. In this
+[=authenticator data=] structure, the <code>[=rpIdHash=]</code> is the FIDO U2F [=application parameter=], all
+<code>[=flags=]</code> except <code>[=UP=]</code> are always zero, and the <code>[=attestedCredentialData=]</code> and
+<code>[=authDataExtensions|extensions=]</code> are never present. FIDO U2F authentication signatures can therefore be verified by
+the same procedure as other [=assertion signatures=] generated by the [=authenticatorMakeCredential=] operation.
+
+
 ## <dfn>Authenticator operations</dfn> ## {#authenticator-ops}
 
 A [=[WAC]=] MUST connect to an authenticator in order to invoke any of the operations of that authenticator. This connection
@@ -3033,6 +3050,9 @@ When verifying a given {{PublicKeyCredential}} structure (|credential|) and an {
 1. Using the credential public key looked up in step 3, verify that |sig| is a valid signature over the binary concatenation of
     |aData| and |hash|.
 
+    Note: This verification step is compatible with signatures generated by FIDO U2F authenticators. See
+    [[#sctn-fido-u2f-sig-format-compat]].
+
 1. If the [=signature counter=] value |adata|.<code>[=signCount=]</code> is nonzero or the value stored
     in conjunction with |credential|'s {{Credential/id}} attribute
     is nonzero, then run the following sub-step: