-
Notifications
You must be signed in to change notification settings - Fork 61
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Implement AuthenticatorAttestationResponse interface #177
Comments
Why is it helpful? What is it going to be used for? |
I guess this link answers your question |
Unfortunately it doesn't. This explains user agent / client-side convenience methods to avoid the RP having to parse the COSE format as far as I read it. This is not necessary for RP's that are already capable of parsing CBOR data. Particularly telling lines are as follows:
|
Well, if a user needs to verify a signature using a public key, the first step is to convert the public key from COSE format to PKIX, ASN.1 DER format. Following that, the public key usually needs to be encoded from DER to PEM format for storage purposes, like in databases or files. Also, the specification includes helpful methods such as However, while user agents can handle the parsing process, sometimes developers might not be familiar with technical aspects like COSE, DER, and so on. It would be convenient if users could directly obtain the DER public key through a method in AuthenticatorAttestationResponse. |
The storage element is pretty unlikely to be a consideration. We expect the COSE encoded bytes to be stored and returned from storage. What element of signature validation needs to be done manually by someone using the library that isn't currently done automatically by the library implementation? My overall point is that these functions appear to be implementations of the WebAuthn API which are expected in the user agent in the yet to be recommended level 3. They also appear solely for convenience to handle specific simplification for implementers to ease their ability to perform all of the necessary checks rather than having to decode COSE data (which we already do internally). |
Also maybe @nicksteele can weigh in on this one if he's not too busy. |
I agree, additionally these operations could be performed on and returned from the client. |
Description
Implement AuthenticatorAttestationResponse interface metheds:
Use Case
It's not easy to parse CBOR encoded data in some enviroments. It will be helpfull if implement
the methods described in spec, e.g:
Documentation
https://www.w3.org/TR/webauthn-2/#authenticatorattestationresponse
The text was updated successfully, but these errors were encountered: