-
Notifications
You must be signed in to change notification settings - Fork 166
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
clarify conveyance of attested public key #94
Comments
Should have been addressed by #161 |
it still looks to me that we are conveying the newly-generated, attested, user authentication (uauth) public key in two places in
section Is the purpose of |
Attestation data is not optional - it is never present on getAssertion, and always present on makeCredential. So you are right, the public key is in two places. Options:
|
@vijaybh wrote:
that's what I thought, tho the "(if present)" notation in the table in {#sec-authenticator-data} had me wondering.
that's something we need to clarify.
Agreed, the latter, also in order to reduce conveyed octets. |
See PR #235 for proposed resolution. |
the makeCredential() promise returns a ScopedCredentialInfo..
..wherein the publicKey attribute is intended to convey the "attested public key", which is the user's newly-generated public key to be registered with the webauthn relying party (WRP).
However, in the "Packed Attestation (type="packed")" section, there's this this text..
..which is clearly saying the attested public key is being conveyed in the rawData object.
Perhaps a hash of the attested public key ought to be conveyed in the rawData object, and it be made clear that the plaintext attested public key be conveyed in ScopedCredentials.publicKey.
also note that our terminology for the so-called attested public key needs to be normailzed, see #79 .
The text was updated successfully, but these errors were encountered: