[webauthn] Move step 16 of Registration to between 21 and 22 (#1555) from Firstyear via GitHub on 2021-01-28 (public-webauthn@w3.org from January 2021)

From: Firstyear via GitHub <sysbot+gh@w3.org>
Date: Thu, 28 Jan 2021 01:43:35 +0000
To: public-webauthn@w3.org
Message-ID: <issues.opened-795593479-1611798214-sysbot+gh@w3.org>

Firstyear has just created a new issue for https://github.com/w3c/webauthn:

== Move step 16 of Registration to between 21 and 22 ==
Step 16 of registration ( https://w3c.github.io/webauthn/#sctn-registering-a-new-credential ) is:

> Verify that the "alg" parameter in the credential public key in authData matches the alg attribute of one of the items in options.pubKeyCredParams.

However, if an RP implementor is following and implementing the specification to the letter, with the steps in order (which they should be! The order of these steps is vital!), then the value of 'credential public key' is not available at this point. credential public key is first made available by the parsing of the attested credential data, and it's subsequent verification during attestation in steps such as: https://w3c.github.io/webauthn/#sctn-packed-attestation verification procedure step 2.

It may then make more sense to move step 16 to between step 21 and 22, so that the data is attested and validated first, then then credential public key can have it's alg checked.  

Please view or discuss this issue at https://github.com/w3c/webauthn/issues/1555 using your GitHub account


-- 
Sent via github-notify-ml as configured in https://github.com/w3c/github-notify-ml-config

Received on Thursday, 28 January 2021 01:43:36 UTC