Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

device public key extension #1663

Merged
merged 144 commits into from
Oct 7, 2022
Merged

Conversation

equalsJeffH
Copy link
Contributor

@equalsJeffH equalsJeffH commented Aug 21, 2021

The resolves #1658 by defining the devicePubKey extension et al. It is admittedly rough and will need further work, thus am casting it as a "draft" PR.

update 4-Mar-2022: @ve7jtb has submitted issue #1701 --- this PR needs to be updated to address it.

update 19-Mar-2022: commit f0fe8f2 is a rough start at adding an authenticator-generated nonce to attObjForDevicePublicKey: fixes #1701

update 23-Mar-2022: there's now commits beyond f0fe8f2 attempting to further refine the RP usage and extension output verification procedures. Though, see also issue #1711 and #1663 (comment): issue #1711 really needs to be addressed as a part of the devicePubKey effort.


Preview | Diff

This PR instantiates the `getDevicePublicKey` extension.

RPs desiring to have a guaranteed device-bound public key returned on `create()` and `get()` need to simply include this extension on their `create()` and `get()` calls.

On `create()`, a device-bound public key pair is created in addition to the [credential key pair](https://www.w3.org/TR/webauthn-2/#credential-key-pair), and the extension result conveys the devicePublicKey to the RP.

On `get()`, a device-bound public key pair is created if one does not yet exist, and the resulting devicePublicKey is conveyed in the extension result to the RP.
This adds a ProVerif model for the device-bound public key (device-bound key pair) extension.
revise model to have discrete message components and to leverage named_tuples.pvl and crypto.pvl.
this is the stage of development I first shared with internal colleagues post the original hand-wavy prose writeup.
index.bs Show resolved Hide resolved
index.bs Outdated Show resolved Hide resolved
index.bs Outdated Show resolved Hide resolved
index.bs Show resolved Hide resolved
index.bs Outdated Show resolved Hide resolved
index.bs Show resolved Hide resolved
index.bs Outdated Show resolved Hide resolved
index.bs Outdated Show resolved Hide resolved
index.bs Outdated Show resolved Hide resolved
index.bs Show resolved Hide resolved
index.bs Outdated Show resolved Hide resolved
index.bs Show resolved Hide resolved
Copy link
Contributor

@sbweeden sbweeden left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

One minor gramatical conern, otherwise LGTM.

index.bs Outdated Show resolved Hide resolved
index.bs Show resolved Hide resolved
index.bs Show resolved Hide resolved
index.bs Show resolved Hide resolved
@agl
Copy link
Contributor

agl commented Oct 5, 2022

From the call of 2022-10-05: address https://github.com/w3c/webauthn/pull/1663/files#r790893167 and then work with Wendy to get this landed.

Copy link
Member

@emlun emlun left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks for taking this on @agl!

This resolves https://github.com/w3c/webauthn/pull/1663/files#r790893167
but including the suggested wording. (Tweaked to make bikeshed happy.)
@w3cbot
Copy link

w3cbot commented Oct 7, 2022

wseltzer marked as non substantive for IPR from ash-nazg.

@wseltzer
Copy link
Member

wseltzer commented Oct 7, 2022

Noting that @equalsJeffH made his contributions while a Member participant in the WG, and thus with IPR commitments under the W3C Patent Policy, I'm dismissing the IPR bot with "non-substantive" mark. Thanks @agl!

@agl agl dismissed sbweeden’s stale review October 7, 2022 19:36

Shane indicated that he didn't have objections to landing during the call but still has the objection flag on his review. Clearing.

@agl agl merged commit dd7dba6 into main Oct 7, 2022
@agl agl deleted the jeffh-fix-1658-device-bound-key-extension branch October 7, 2022 20:05
github-actions bot added a commit that referenced this pull request Oct 7, 2022
…ension

SHA: dd7dba6
Reason: push, by @agl

Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Development

Successfully merging this pull request may close these issues.

DPK attestation may create possible side channel attack on the batch key. Device-bound key extension