Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Suggestion: allow optional addition of authData for better compatibility with existing attestation solutions like Apple DeviceCheck #4

Open
arianvp opened this issue Sep 9, 2022 · 0 comments
Open

Suggestion: allow optional addition of authData for better compatibility with existing attestation solutions like Apple DeviceCheck #4

arianvp opened this issue Sep 9, 2022 · 0 comments

Comments

@arianvp
Copy link

arianvp commented Sep 9, 2022

I'm interested in using Apple DeviceCheck with this spec as DeviceCheck exists today and can be used in non-enterprise settings.. Problem is that DeviceCheck[0] adheres to Webauthn more strictly than this spec and thus it seems impossible to combine at the moment. The problem lies in the redefinition of attToBeSigned. Namely Devicecheck will concatenate the authData instead of ignorintg it

Instead of defining attToBeSigned = sha256(key authorization)

it defines it as :

attToBeSigned = authData || sha256(keyAuthorization)

I think we could adopt the spec in a backwards compatible way with the current spec to say:

authData MAY be present if authData is present it MUST be prepended to attToBeSigned

This would make Apple DeviceCheck[0] compatible with this spec.

[0] - https://developer.apple.com/documentation/devicecheck/validating_apps_that_connect_to_your_server
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@arianvp