Return public key in attestedCredentialData on authenticatorGetAssertion #1928
Comments
|
The server (RP) stores the public key (along with the credential ID) after a registration ceremony. There is no need to include it an authentication ceremony as the server has everything it needs to validate the signature. |
|
In fact it would be very bad to include the public key along with the assertion signature, because that would create an opportunity for confusing an RP with a valid signature by a different key than the one originally associated with the credential ID. The RP really should retrieve the public key from its own storage, to ensure that the mapping between credential ID and public key remains correct. |
|
The WG believes we've answered the question, and there seems to be nothing more to discuss here. Please let us know if there is more to discuss. |
Proposed Change
I was curious why the
attestedCredentialDatain theauthenticatorGetAssertionnever included the public key of the credential.It includes the credential ID, but not the public key, which is arguably much more important for verifying the signature. Is there some way to perhaps force bit
6of theflagsto be true so as to require the public key to be returned in the Attested credential data?The text was updated successfully, but these errors were encountered: