Signature field clarification in attestation statement #805
Conversation
|
This specifies the signature format for the packed attestation, which is good, but that would leave the assertion signature format still under-specified. (The assertion signature was what I was testing with Chrome and Firefox since I do not have any tokens that speak CTAP2 and thus could have a packed attestation.) |
|
Moved that information is individual section in the same vicinity of both assertion signature and attestation statements signature. |
index.bs
Outdated
| @@ -2789,6 +2789,50 @@ the [=authenticator=] MUST: | |||
| attStmtTemplate .within $$attStmtType | |||
| ``` | |||
|
|
|||
| ### Signature Formats ### {#signature-attestation-types} | |||
| - For COSEAlgorithmIdentifier -7 (ES256), `sig` contains a pair of 32-byte integers, | |||
There was a problem hiding this comment.
The r and s values might not be 32 bytes long in this encoding, and I think the reference for the encoding is RFC 3278 section 3.3.2. So I've say something like:
For {{COSEAlgorithmIdentifier}} -7 (ES256), and other ECDSA-based algorithms, a signature is encoded as an ASN.1 DER Ecdsa-Sig-Value, as defined in [[RFC3279]] section 3.3.1.
(Then drop the added reference to X9.62.)
index.bs
Outdated
|
|
||
| ``` | ||
| Example: | ||
| 30 44 ; SEQUENCE (44 Bytes) |
There was a problem hiding this comment.
The lengths in the comments here are in hex (i.e. "44 Bytes" is 0x44 bytes). But typically such numbers are in base 10.
There was a problem hiding this comment.
Ah.. Yeah, I was using my certutil tool. Will fix it.
index.bs
Outdated
| Example: | ||
| 30 44 ; SEQUENCE (44 Bytes) | ||
| 02 20 ; INTEGER (20 Bytes) | ||
| | 3d 46 28 7b 8c 6e 8c 8c 26 1c 1b 88 f2 73 b0 9a |
There was a problem hiding this comment.
(There are | symbols at the start of these two lines, but not below.)
index.bs
Outdated
| 09 24 2c 13 0b af 30 16 a5 0f 75 ef 99 5f 9b f7 | ||
| ed b0 a6 36 74 0e 90 dc 52 3b 4b 7d c5 eb f8 19 | ||
| ``` | ||
| - For COSEAlgorithmIdentifier -37 (RS256), `sig` contains the signature generated using the |
index.bs
Outdated
| RSASSA-PKCS1-v1_5 signature scheme defined in [[RFC8017]] with SHA256 as the hash function. | ||
| ``` | ||
| Example: | ||
| 87 38 c6 f7 7d 53 3a 7e 73 27 2e 4b 9d 45 c7 19 |
There was a problem hiding this comment.
This example is just 2,048 random bits, right? Dunno how helpful that is :)
There was a problem hiding this comment.
Yeah.. Not helpful. Lets remove that.
index.bs
Outdated
| @@ -2789,6 +2789,50 @@ the [=authenticator=] MUST: | |||
| attStmtTemplate .within $$attStmtType | |||
| ``` | |||
|
|
|||
| ### Signature Formats ### {#signature-attestation-types} | |||
There was a problem hiding this comment.
Please make this title more specific clearly restrict its scope to only the kinds of signatures that it applies to. Right now it reads like it applies to all signatures.
For instance, the new title could be "Signature Formats for Packed Attestations and Assertion Signatures" (if that's the correct scoping).
There was a problem hiding this comment.
Changed to added FIDO-U2F attestation format also.
index.bs
Outdated
| ASN.1 DER format defined in [[ANSI.X9-62.2005]] and [[FIPS.186-4.2013]]. | ||
|
|
||
| Note: As CTAP1/U2F devices are already producing signatures in this format, CTAP2 | ||
| devices will also produce signatures in same format for consistency. Otherwise, |
There was a problem hiding this comment.
Change "in same format for consistency" to "in same format, for consistency reasons"
index.bs
Outdated
|
|
||
| Note: As CTAP1/U2F devices are already producing signatures in this format, CTAP2 | ||
| devices will also produce signatures in same format for consistency. Otherwise, | ||
| newer attestation formats MUST use COSE_KEY signature formats as defined in |
There was a problem hiding this comment.
Change "newer attestation formats MUST use COSE_KEY signature formats" to "it is recommended that any new attestation formats defined not use ASN.1 encodings, but instead represent signatures as equivalent fixed-length byte arrays without internal structure, using the same representations as used by COSE signatures"
index.bs
Outdated
| Note: As CTAP1/U2F devices are already producing signatures in this format, CTAP2 | ||
| devices will also produce signatures in same format for consistency. Otherwise, | ||
| newer attestation formats MUST use COSE_KEY signature formats as defined in | ||
| [[IANA-COSE-ALGS-REG]]. |
There was a problem hiding this comment.
Change [[IANA-COSE-ALGS-REG]] to [[!RFC8152]].
index.bs
Outdated
| 17 6c 92 bb 8e 36 c0 41 98 a2 7b 90 9b 6e 8f 13 | ||
| ``` | ||
| - For COSEAlgorithmIdentifier -257 (RS256), `sig` contains the signature generated using the | ||
| RSASSA-PKCS1-v1_5 signature scheme defined in [[RFC8017]] with SHA256 as the hash function. |
There was a problem hiding this comment.
Add a section number reference within RFC 8017 and say that you're including (or not including) the ASN.1 wrapper for the signature. Just saying RFC 8017 is ambiguous, because it defines both the raw signature bytes and an ASN.1 wrapper for those bytes.
There was a problem hiding this comment.
(Referencing the section is a good idea in any case, but I don't believe that there is an ASN.1-based format for an RSA signature.)
index.bs
Outdated
| ed b0 a6 36 74 0e 90 dc 52 3b 4b 7d c5 eb f8 19 | ||
| ``` | ||
| - For COSEAlgorithmIdentifier -37 (RS256), `sig` contains the signature generated using the | ||
| RSASSA-PSS signature scheme defined in [[RFC8017]] with SHA256 as the hash function. |
There was a problem hiding this comment.
Add a section number reference within RFC 8017 and say that you're including (or not including) the ASN.1 wrapper for the signature. Just saying RFC 8017 is ambiguous, because it defines both the raw signature bytes and an ASN.1 wrapper for those bytes.
index.bs
Outdated
| @@ -2789,6 +2789,31 @@ the [=authenticator=] MUST: | |||
| attStmtTemplate .within $$attStmtType | |||
| ``` | |||
|
|
|||
| ### Signature Formats for Packed Attestation, FIDO U2F Attestation and Assertion Signatures ### {#signature-attestation-types} | |||
There was a problem hiding this comment.
Put a comma after "FIDO U2F Attestation"
index.bs
Outdated
| devices will also produce signatures in same format, for consistency reasons. | ||
| It is recommended that any new attestation formats defined not use ASN.1 encodings, | ||
| but instead represent signatures as equivalent fixed-length byte arrays without internal structure, | ||
| using the same representations as used by COSE signatures as defined in [[!RFC8152]] |
There was a problem hiding this comment.
You're missing a period at the end of this sentence.
index.bs
Outdated
| | 17 6c 92 bb 8e 36 c0 41 98 a2 7b 90 9b 6e 8f 13 | ||
| ``` | ||
| - For COSEAlgorithmIdentifier -257 (RS256), `sig` contains the signature generated using the | ||
| RSASSA-PKCS1-v1_5 signature scheme defined in section 8.2.1 in [[RFC8017]] with SHA256 as the hash function. |
There was a problem hiding this comment.
Change SHA256 to SHA-256.
index.bs
Outdated
| - For COSEAlgorithmIdentifier -257 (RS256), `sig` contains the signature generated using the | ||
| RSASSA-PKCS1-v1_5 signature scheme defined in section 8.2.1 in [[RFC8017]] with SHA256 as the hash function. | ||
| - For COSEAlgorithmIdentifier -37 (PS256), `sig` contains the signature generated using the | ||
| RSASSA-PSS signature scheme defined in section 8.1.1 in [[RFC8017]] with SHA256 as the hash function. |
There was a problem hiding this comment.
Change SHA256 to SHA-256.
index.bs
Outdated
| @@ -2789,6 +2789,31 @@ the [=authenticator=] MUST: | |||
| attStmtTemplate .within $$attStmtType | |||
| ``` | |||
|
|
|||
| ### Signature Formats for Packed Attestation, FIDO U2F Attestation, and Assertion Signatures ### {#signature-attestation-types} | |||
| - For COSEAlgorithmIdentifier -7 (ES256), and other ECDSA-based algorithms, | |||
| a signature is encoded as an ASN.1 DER Ecdsa-Sig-Value, as defined in [[RFC3279]] section 3.3.1. | |||
There was a problem hiding this comment.
AFAICT there is no "section 3.3.1" in RFC3279. Is the section you actually want to ref https://tools.ietf.org/html/rfc3279#section-2.2.3 ?
There was a problem hiding this comment.
Oh Yes. I mistakenly blindly copied.
index.bs
Outdated
| @@ -2789,6 +2789,31 @@ the [=authenticator=] MUST: | |||
| attStmtTemplate .within $$attStmtType | |||
| ``` | |||
|
|
|||
| ### Signature Formats for Packed Attestation, FIDO U2F Attestation, and Assertion Signatures ### {#signature-attestation-types} | |||
| - For COSEAlgorithmIdentifier -7 (ES256), and other ECDSA-based algorithms, | |||
| a signature is encoded as an ASN.1 DER Ecdsa-Sig-Value, as defined in [[RFC3279]] section 3.3.1. | |||
There was a problem hiding this comment.
suggest:
s/ a signature is / a signature value is /
index.bs
Outdated
| a signature is encoded as an ASN.1 DER Ecdsa-Sig-Value, as defined in [[RFC3279]] section 3.3.1. | ||
|
|
||
| Note: As CTAP1/U2F devices are already producing signatures in this format, CTAP2 | ||
| devices will also produce signatures in same format, for consistency reasons. |
There was a problem hiding this comment.
suggest:
s/ signatures / signature values / in both places above
index.bs
Outdated
| devices will also produce signatures in same format, for consistency reasons. | ||
| It is recommended that any new attestation formats defined not use ASN.1 encodings, | ||
| but instead represent signatures as equivalent fixed-length byte arrays without internal structure, | ||
| using the same representations as used by COSE signatures as defined in [[!RFC8152]]. |
There was a problem hiding this comment.
suggest:
s/ [[!RFC8152]] / [[!RFC8152]] and [[!RFC8230]] /
index.bs
Outdated
| but instead represent signatures as equivalent fixed-length byte arrays without internal structure, | ||
| using the same representations as used by COSE signatures as defined in [[!RFC8152]]. | ||
|
|
||
| ``` |
There was a problem hiding this comment.
it appears that the below example is ASN.1-wrapped. If so, I would move it up above the Note: (presently above), because having it down here is confusing -- i was expecting a "raw" fixed-length example to go with the Note.
| @@ -4963,5 +4988,15 @@ for their contributions as our W3C Team Contacts. | |||
| "href": "https://www.internet2.edu/media/medialibrary/2013/09/04/internet2-mace-dir-eduperson-200604.html", | |||
| "date": "May 15, 2007" | |||
| } | |||
There was a problem hiding this comment.
need a comma here to get spec to build properly
index.bs
Outdated
| "ANSI.X9-62.2005": { | ||
| "title": "Public Key Cryptography for the Financial Services Industry: The Elliptic Curve Digital Signature Algorithm (ECDSA), ANSI X9.62-2005", | ||
| "date": "November 2005" | ||
| } |
There was a problem hiding this comment.
need a comma here to get spec to build properly
| @@ -4963,5 +4988,15 @@ for their contributions as our W3C Team Contacts. | |||
| "href": "https://www.internet2.edu/media/medialibrary/2013/09/04/internet2-mace-dir-eduperson-200604.html", | |||
| "date": "May 15, 2007" | |||
| } | |||
|
|
|||
There was a problem hiding this comment.
neither of the below references are cited in the above prose re "COSEAlgorithmIdentifier -7 (ES256)", so am wondering why they are here? Yes, tokbind-protocol cites them, but we are instead citing [[RFC3279]] which seems to obviate citing the former two refs.
seems like we can either cite [[RFC3279]] or do it like tokbind and cite the below. I suppose either works for me.
| @@ -2789,6 +2789,31 @@ the [=authenticator=] MUST: | |||
| attStmtTemplate .within $$attStmtType | |||
| ``` | |||
|
|
|||
| ### Signature Formats for Packed Attestation, FIDO U2F Attestation, and Assertion Signatures ### {#signature-attestation-types} | |||
There was a problem hiding this comment.
I would more clearly explain that with respect to [=assertion signatures=] that this is for assertions produced using the three listed signature algorithms.
what about any of the other COSE sig algorithms ?
There was a problem hiding this comment.
They will refer to COSE document.
index.bs
Outdated
| | 4e 72 23 6e a3 90 a9 a1 7b cf 5f 7a 09 d6 3a b2 | ||
| | 17 6c 92 bb 8e 36 c0 41 98 a2 7b 90 9b 6e 8f 13 | ||
| ``` | ||
| - For COSEAlgorithmIdentifier -257 (RS256), `sig` contains the signature generated using the |
There was a problem hiding this comment.
AFAICT the sig values produced by [[RFC8017]] sections 8.1.1 and 8.2.1 are not ASN.1-wrapped. If that is correct, would a Note: to that effect be helpful to readers here?
|
Fixes #799 |
index.bs
Outdated
| @@ -4968,6 +4997,7 @@ for their contributions as our W3C Team Contacts. | |||
| "title": "EduPerson Object Class Specification (200604a)", | |||
| "href": "https://www.internet2.edu/media/medialibrary/2013/09/04/internet2-mace-dir-eduperson-200604.html", | |||
| "date": "May 15, 2007" | |||
| } | |||
| }, | |||
There was a problem hiding this comment.
Delete the common from this line so that it becomes legal JSON.
index.bs
Outdated
| ``` | ||
|
|
||
| Note: As CTAP1/U2F devices are already producing signatures values in this format, CTAP2 | ||
| devices will also produce signatures values in same format, for consistency reasons. |
There was a problem hiding this comment.
Change "same format" to "the same format"
* Sig Clarification * Sig Clarification 2 * Clarify that ECDSA is ASN.1 DER format * Exception for ECDSA for consistency * Put Signature formats in its own section * typo * Incorporating comments * Incorporating comments-2 * Incorporating comments-3 * Incorporating comments-4 * Json comma issue * Incorporating comments - 6
Fixes #799
Preview | Diff