Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add uaf attestation format #408

Closed
wants to merge 6 commits into from
Closed

Add uaf attestation format #408

wants to merge 6 commits into from

Conversation

rlin1
Copy link
Contributor

@rlin1 rlin1 commented Apr 18, 2017
edited by pr-preview bot

jyasskin
jyasskin suggested changes Apr 18, 2017
View reviewed changes
Copy link
Member

@jyasskin jyasskin left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Nothing against this particular attestation format, but there are getting to be a lot of attestation formats that RPs have to implement. Is there any way to limit the number of formats?

@nadalin nadalin added this to the L2-WD-00 milestone May 2, 2017
@rlin1 rlin1 self-assigned this May 4, 2017
@rlin1
Copy link
Contributor Author

rlin1 commented May 4, 2017

There exist some (relevant) classes of authenticator models in the market. I propose to support the most important ones.
In the end the RP will decide which ones to accept.

@selfissued selfissued self-requested a review May 16, 2017 01:03
selfissued
selfissued requested changes May 16, 2017
View reviewed changes
Copy link
Contributor

@selfissued selfissued left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Per my review of PR #407 , we should do what it takes to make it be possible to add the UAF credential type and attestation format in a separate document, rather than requiring that they be added to the WebAuthn spec. That's the approach that I think we should pursue for this one and PR #407 . With adequate registry support, every additional algorithm, etc. need not be continually added to the WebAuthn spec itself.

This was referenced May 17, 2017
Closed
Closed
@equalsJeffH
Copy link
Contributor

@selfissued proposed:

Per my review of PR #407 , we should do what it takes to make it be possible to add the UAF credential type and attestation format in a separate document, rather than requiring that they be added to the WebAuthn spec. That's the approach that I think we should pursue for this one and PR #407 . With adequate registry support, every additional algorithm, etc. need not be continually added to the WebAuthn spec itself.

While I agree with adding registry support for WebAuthn signature-and-assertion-formats (see #296, #233), I disagree with not merging #407 and #408 in this specific case of UAF because:

  1. there are millions of already-deployed UAF-capable smartphones, which are upgradeable to speak CTAP and thus be usable with WebAuthn-enabled browsers via CTAP (in the nearish term), and,
  2. the amount of normative spec prose to enable handling UAF signature and assertion format is small, and largely consists of changes we will need to introduce anyway in order to prepare the webauthn spec to properly leverage a "signature and assertion format registry". Essentially the webauthn spec will just reference the UAF spec set for the bulk of the normative details.
  3. we have updated the webauthn spec already to handle U2F authenticators for essentially the same reasons.

If someone later desires to register and have WebAuthn support yet another signature-and-assertion-format, then I agree that the approach they should take is to formally register such and specify it in self-contained specs separate from the present WebAuthn spec.

This PR is concise, largely does not affect other portions of the webauthn spec, incorporates some changes that we will need to do any way in order to have the spec properly handle separately-defined assertion-and-signature-formats.

We ought to refine this PR and #407 appropriately and merge them for WD-06.

Fixes #465

@equalsJeffH equalsJeffH mentioned this pull request May 17, 2017
Open
@leshi
Copy link
Contributor

leshi commented Sep 14, 2017

Please resolve the discussion in #554 before merging.

@equalsJeffH equalsJeffH mentioned this pull request Jun 5, 2018
Closed
@equalsJeffH equalsJeffH modified the milestones: L2-WD-00, L2-WD-01 Feb 13, 2019
@nadalin
Copy link
Contributor

nadalin commented Mar 7, 2019

Per 03/07/19 F2F Close

@nadalin nadalin closed this Mar 7, 2019
@emlun emlun deleted the uaf-attestation-format branch June 22, 2022 21:57
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@jyasskin jyasskin jyasskin requested changes

@selfissued selfissued selfissued requested changes

Assignees

@rlin1 rlin1

Labels
None yet
Projects
None yet
Milestone
L2-WD-02
Development

Successfully merging this pull request may close these issues.

None yet
6 participants
@rlin1 @equalsJeffH @leshi @nadalin @jyasskin @selfissued