[webauthn] Description of attestation signature generation for ECDAA needs to be fixed. from Ki-Eun Shin via GitHub on 2017-09-27 (public-webauthn@w3.org from September 2017)

From: Ki-Eun Shin via GitHub <sysbot+gh@w3.org>
Date: Wed, 27 Sep 2017 11:45:43 +0000
To: public-webauthn@w3.org
Message-ID: <issues.opened-260944096-1506512731-sysbot+gh@w3.org>

Kieun has just created a new issue for https://github.com/w3c/webauthn:

== Description of attestation signature generation for ECDAA needs to be fixed. ==
§7.2 Packed Attestation Statement Format describes syntax and semantics of Packed Attestation Statement. 
The signing and verification attestation procedures are explained. 
In case of using ECDAA for the attestation, the signing procedure is somewhat weird.
Followings are the depicted signing procedure for ECDAA.
> If ECDAA is in use, the authenticator produces sig by concatenating authenticatorData and clientDataHash, and signing the result using ECDAA-Sign (see section 3.5 of [FIDOEcdaaAlgorithm]) with a ECDAA-Issuer public key selected through an authenticator-specific mechanism (see [FIDOEcdaaAlgorithm]). It sets alg to the algorithm of the ECDAA-Issuer public key and ecdaaKeyId to the identifier of the ECDAA-Issuer public key (see above).

In order to generated ECDAA signature, a signer (authenticator) generates signature with ECDAA credential and private key in stead of using ECDAA-Issuer public key.
So signing procedure for ECDAA should be fixed.


Please view or discuss this issue at https://github.com/w3c/webauthn/issues/591 using your GitHub account

Received on Wednesday, 27 September 2017 11:45:35 UTC