-
Notifications
You must be signed in to change notification settings - Fork 178
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
device public key extension #1663
Conversation
This PR instantiates the `getDevicePublicKey` extension. RPs desiring to have a guaranteed device-bound public key returned on `create()` and `get()` need to simply include this extension on their `create()` and `get()` calls. On `create()`, a device-bound public key pair is created in addition to the [credential key pair](https://www.w3.org/TR/webauthn-2/#credential-key-pair), and the extension result conveys the devicePublicKey to the RP. On `get()`, a device-bound public key pair is created if one does not yet exist, and the resulting devicePublicKey is conveyed in the extension result to the RP.
This adds a ProVerif model for the device-bound public key (device-bound key pair) extension.
revise model to have discrete message components and to leverage named_tuples.pvl and crypto.pvl.
this is the stage of development I first shared with internal colleagues post the original hand-wavy prose writeup.
Co-authored-by: Shane Weeden <[email protected]>
(This was discussed at TPAC.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
One minor gramatical conern, otherwise LGTM.
From the call of 2022-10-05: address https://github.com/w3c/webauthn/pull/1663/files#r790893167 and then work with Wendy to get this landed. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thanks for taking this on @agl!
This resolves https://github.com/w3c/webauthn/pull/1663/files#r790893167 but including the suggested wording. (Tweaked to make bikeshed happy.)
wseltzer marked as non substantive for IPR from ash-nazg. |
Noting that @equalsJeffH made his contributions while a Member participant in the WG, and thus with IPR commitments under the W3C Patent Policy, I'm dismissing the IPR bot with "non-substantive" mark. Thanks @agl! |
Shane indicated that he didn't have objections to landing during the call but still has the objection flag on his review. Clearing.
The resolves #1658 by defining the
devicePubKey
extension et al. It is admittedly rough and will need further work, thus am casting it as a "draft" PR.update 4-Mar-2022: @ve7jtb has submitted issue #1701 --- this PR needs to be updated to address it.
update 19-Mar-2022: commit f0fe8f2 is a rough start at adding an authenticator-generated nonce to
attObjForDevicePublicKey
: fixes #1701update 23-Mar-2022: there's now commits beyond f0fe8f2 attempting to further refine the RP usage and extension output verification procedures. Though, see also issue #1711 and #1663 (comment): issue #1711 really needs to be addressed as a part of the
devicePubKey
effort.Preview | Diff