-
Notifications
You must be signed in to change notification settings - Fork 59
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Basic Signature Validation - Possible? #99
Comments
Not sure I understand, Anders. Without a server challenge,
ColectedClientData
<https://www.w3.org/TR/webauthn-2/#dictdef-collectedclientdata> would
not make sense to a FIDO server trying to verify a response from a
client - the server would have no way of knowing if the response was
coming from a User whose digital signature it could trust and verify.
Perhaps, you can explain the larger context of what you're trying to
achieve?
…On 4/5/21 8:04 AM, Anders Rundgren wrote:
Pardon my "n00b" status when it comes to FIDO servers...
According to
https://w3c.github.io/webauthn/images/fido-signature-formats-figure2.svg
<https://w3c.github.io/webauthn/images/fido-signature-formats-figure2.svg>:
fido
<https://camo.githubusercontent.com/143cb72add2e96707d29c5c8f19d3e4cc434cb5f335b1097b212d2ed5cec72d4/68747470733a2f2f7733632e6769746875622e696f2f776562617574686e2f696d616765732f6669646f2d7369676e61747572652d666f726d6174732d666967757265322e737667>
the signature consists of two parts.
Question: I have an application which depends on `clientDataHash'. Is
there any way using your server (hopefully unmodified) and even
better, the simulator as well that permit this? I.e. there would be no
server-generated challenge, just signed data coming from a CTAP2
compatible client.
—
You are receiving this because you are subscribed to this thread.
Reply to this email directly, view it on GitHub
<#99>, or unsubscribe
<https://github.com/notifications/unsubscribe-auth/ALLPGO2J5FS4AAVR6JS2AA3THHGRVANCNFSM42M6GGRQ>.
|
Thanx Max for the quick response! Imagine a FIDO2 client that hashes a JSON object like:
Result: This would then be used as A verifier has the original JSON object and hashes it as well. Now it wants to know if the received signature validates. The signer is supposed to provide the information required to identify the key like userid. The idea is creating a functional equivalent to an EMV card. |
Pardon my "n00b" status when it comes to FIDO servers...
According to https://w3c.github.io/webauthn/images/fido-signature-formats-figure2.svg:
![fido](https://camo.githubusercontent.com/983c7320b1a793ffb4576c21eacdc7ef3141953647b5a4b19b57fc47f5abc3a8/68747470733a2f2f7733632e6769746875622e696f2f776562617574686e2f696d616765732f6669646f2d7369676e61747572652d666f726d6174732d666967757265322e737667)
the signed data consists of two parts.
Question: I have an application which depends on `clientDataHash'. Is there any way using your server (hopefully unmodified) and even better, the simulator as well that permit this? I.e. there would be no server-generated challenge, just signed data coming from a CTAP2 compatible client.
The text was updated successfully, but these errors were encountered: