[webauthn] Transaction authorization extensions are registration and authentication extension? from Ki-Eun Shin via GitHub on 2017-10-10 (public-webauthn@w3.org from October 2017)

From: Ki-Eun Shin via GitHub <sysbot+gh@w3.org>
Date: Tue, 10 Oct 2017 06:58:36 +0000
To: public-webauthn@w3.org
Message-ID: <issues.opened-264118055-1507618702-sysbot+gh@w3.org>

Kieun has just created a new issue for https://github.com/w3c/webauthn:

== Transaction authorization extensions are registration and authentication extension? ==
Section 9 describes the initial set of WebAuthn extensions. Each extension is registration and/or authentication extension depending on the use cases.
In case of transaction authorization, there are two defined extensions: TxAuthSimple and TxAuthGeneric.
And both extensions are registration extension and authentication extension at the same time, which means those extensions can be handled during create() or get() operation.
In UAF, transaction confirmation (In WebAuthn context, transaction authorization) is extended use case of authentication (getAssertion) with user private key. 

As I understand it, the user needs to sign message including contents with credential private key instead of attestation private key to provide non-repudiation for the transaction authorization.
Thus, extensions for the transaction authorization might be not registration extension but authentication extension.


Please view or discuss this issue at https://github.com/w3c/webauthn/issues/621 using your GitHub account

Received on Tuesday, 10 October 2017 06:58:25 UTC