[webauthn] Public key rules for "packed" attestation type from Shane Weeden via GitHub on 2018-07-02 (public-webauthn@w3.org from July 2018)

From: Shane Weeden via GitHub <sysbot+gh@w3.org>
Date: Mon, 02 Jul 2018 23:18:31 +0000
To: public-webauthn@w3.org
Message-ID: <issues.opened-337694190-1530573506-sysbot+gh@w3.org>

sbweeden has just created a new issue for https://github.com/w3c/webauthn:

== Public key rules for "packed" attestation type ==
Consider section 8.2 https://www.w3.org/TR/webauthn/#packed-attestation 

When following the steps for the verification procedure it is not clear is what validation should be performed on the attested credential public key (in authData). With the fido-u2f attestation type this is explicit (strict rules on key type, algorithm and curve). With packed, I can't find any validation rules in the spec for the credential public key. 

Whilst section 6.3.5 (https://www.w3.org/TR/webauthn/#signature-attestation-types) does make mention of signature formats, there is no guidance on what is considered an acceptable key type, algorithm, etc for packed attestation credentials. Is this a gap, or simply up to the policy of the RP to decide?


Please view or discuss this issue at https://github.com/w3c/webauthn/issues/981 using your GitHub account

Received on Monday, 2 July 2018 23:18:36 UTC