Simplifying attestation, take two #244
Comments
|
+1: It is an important goal to make the object opaque for platforms |
|
👍 |
|
We like this -- this means that Browsers won't need to be updated when an additional attestation format is defined -- yay! |
|
Let me take a crack at this... |
This was referenced Jan 4, 2017
vijaybh
added a commit
that referenced
this issue
Jan 9, 2017
Puts all attestation info into a CBOR object which is opaque to client and only parsed by RP. Fixes #244. This also lays some of the groundwork for adding a U2F attestation format. I will clean up the TPM attestation section in a separate commit.
MXEBot
pushed a commit
to mirror/chromium
that referenced
this issue
Jan 21, 2017
This CL adds the WebAuthn bindings and interface to support WebAuthentication.makeCredential and WebAuthentication.getAssertion. The draft spec is here: https://w3c.github.io/webauthn/ The interface is likely to change as the spec matures. We're tracking the comments and suggestions from this review via issues opened with the working group: w3c/webauthn#310 w3c/webauthn#311 w3c/webauthn#312 w3c/webauthn#313 This patch also proactively implements the change to WebAuthnAttestation suggested here: w3c/webauthn#244 BUG=664630 Review-Url: https://codereview.chromium.org/2533863002 Cr-Commit-Position: refs/heads/master@{#445239}
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Some colleagues and I have spent a fair bit of time with attestation recently, thinking through implementation issues. It became apparent to us that a browser implementation has to do significant parsing of the attestation data returned from the authenticator even though the client really should not care about the contents of this.
Strawman suggestion that we came up with:
The above CBOR map would not be parsed at all on the client, only at the server. This might also simplify the IDL a little bit.
The text was updated successfully, but these errors were encountered: