device public key extension #1663
Merged
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This PR instantiates the `getDevicePublicKey` extension. RPs desiring to have a guaranteed device-bound public key returned on `create()` and `get()` need to simply include this extension on their `create()` and `get()` calls. On `create()`, a device-bound public key pair is created in addition to the [credential key pair](https://www.w3.org/TR/webauthn-2/#credential-key-pair), and the extension result conveys the devicePublicKey to the RP. On `get()`, a device-bound public key pair is created if one does not yet exist, and the resulting devicePublicKey is conveyed in the extension result to the RP.
This adds a ProVerif model for the device-bound public key (device-bound key pair) extension.
revise model to have discrete message components and to leverage named_tuples.pvl and crypto.pvl.
this is the stage of development I first shared with internal colleagues post the original hand-wavy prose writeup.
ko-koiwai
reviewed
Sep 14, 2022
ko-koiwai
reviewed
Sep 14, 2022
sbweeden
requested changes
Sep 21, 2022
This was referenced Sep 22, 2022
Co-authored-by: Shane Weeden <sbweeden@users.noreply.github.com>
(This was discussed at TPAC.
sbweeden
previously requested changes
Sep 27, 2022
emlun
requested changes
Oct 4, 2022
emlun
requested changes
Oct 4, 2022
|
From the call of 2022-10-05: address https://github.com/w3c/webauthn/pull/1663/files#r790893167 and then work with Wendy to get this landed. |
This resolves https://github.com/w3c/webauthn/pull/1663/files#r790893167 but including the suggested wording. (Tweaked to make bikeshed happy.)
|
wseltzer marked as non substantive for IPR from ash-nazg. |
|
Noting that @equalsJeffH made his contributions while a Member participant in the WG, and thus with IPR commitments under the W3C Patent Policy, I'm dismissing the IPR bot with "non-substantive" mark. Thanks @agl! |
agl
dismissed
sbweeden’s stale review
Shane indicated that he didn't have objections to landing during the call but still has the objection flag on his review. Clearing.
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
The resolves #1658 by defining the
devicePubKeyextension et al. It is admittedly rough and will need further work, thus am casting it as a "draft" PR.update 4-Mar-2022: @ve7jtb has submitted issue #1701 --- this PR needs to be updated to address it.
update 19-Mar-2022: commit f0fe8f2 is a rough start at adding an authenticator-generated nonce to
attObjForDevicePublicKey: fixes #1701update 23-Mar-2022: there's now commits beyond f0fe8f2 attempting to further refine the RP usage and extension output verification procedures. Though, see also issue #1711 and #1663 (comment): issue #1711 really needs to be addressed as a part of the
devicePubKeyeffort.Preview | Diff