You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Currently, WebAuthn signatures are constructed in a 'special' way, which includes a hash of the user-provided data and another parameters. Generally, this is:
Now, I'm currently working on interoperating with CMS (i.e., RFC 5652 or PKCS#7) and handling WebAuthn assertions is challenging because there is no 'proper' way to indicate how they should be validated, as compared with algorithms that are well-known in ASN.1. For instance, setting the algrithm to ecdsa-with-SHA256 (1.2.840.10045.4.3.2) would almost work, but the data need to be treated in a special way, as 'regular' ecdsa-with-SHA256 doesn't go over a hash of the message.
Proposed Change
This is not a change that affects WebAuthn per se, but rather a request to collaborate with IANA (or altenatively, ISO / ITU-T) to define OIDs and their respective parameters that can be used to handle WebAuthn assertions in CMS and the rest of the ASN.1 world.
For the common case of dataToBeSigned <- authenticatorData || DIGEST(data), this may or may not require a new algorithm OID to be defined (likely yes, for backwards compatibility), but it would require at least creating a new algorithm parameter to include authenticatorData, and for any other parameters needed.
The text was updated successfully, but these errors were encountered:
From the WG call of 2024-02-28: we agree that you would probably want some specific OIDs for this case. If you can get them assigned from a reasonably canonical arc, we would consider listing them in the spec. We don't know that the W3C itself has an arc however.
This relates indirectly to #799.
Currently, WebAuthn signatures are constructed in a 'special' way, which includes a hash of the user-provided data and another parameters. Generally, this is:
dataToBeSigned <- authenticatorData || DIGEST(data)
.For example reference:
And so on from the rest of spec, where FIDO seems to be an exception:
Now, I'm currently working on interoperating with CMS (i.e., RFC 5652 or PKCS#7) and handling WebAuthn assertions is challenging because there is no 'proper' way to indicate how they should be validated, as compared with algorithms that are well-known in ASN.1. For instance, setting the algrithm to
ecdsa-with-SHA256
(1.2.840.10045.4.3.2
) would almost work, but the data need to be treated in a special way, as 'regular'ecdsa-with-SHA256
doesn't go over a hash of the message.Proposed Change
This is not a change that affects WebAuthn per se, but rather a request to collaborate with IANA (or altenatively, ISO / ITU-T) to define OIDs and their respective parameters that can be used to handle WebAuthn assertions in CMS and the rest of the ASN.1 world.
For the common case of
dataToBeSigned <- authenticatorData || DIGEST(data)
, this may or may not require a new algorithm OID to be defined (likely yes, for backwards compatibility), but it would require at least creating a new algorithm parameter to includeauthenticatorData
, and for any other parameters needed.The text was updated successfully, but these errors were encountered: