You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Based on discussions with various RPs as well as system integrators for RPs, here are the requirements for attestation for DPK (device-bound public key).
If DPK is supported,
1. an attestation statement shall be included, and
2. the attestation shall be protected from replay attacks
Replay attack protection may be achieved by such a way like including RP-challenge in DPK signature. Using clientDataHash will enable the protection with a minimum extension from the current draft specification.
Without replay attack protection, DPK is equivalent to a bearer token. RPs who need DPK cannot trust such DPK and DPK will not be so useful for RPs.
My understanding is that at the TPAC in 2022-9-13, we confirmed that DPK is replay-protected as DPK signs over clientDataHash in the current PR1663, yet it is unclear.
I suggest to close this issue after the PR is modified to make it clear.
Based on discussions with various RPs as well as system integrators for RPs, here are the requirements for attestation for DPK (device-bound public key).
Replay attack protection may be achieved by such a way like including RP-challenge in DPK signature. Using clientDataHash will enable the protection with a minimum extension from the current draft specification.
Without replay attack protection, DPK is equivalent to a bearer token. RPs who need DPK cannot trust such DPK and DPK will not be so useful for RPs.
Related issue: #1798
The text was updated successfully, but these errors were encountered: