https://bugzilla.mindrot.org/show_bug.cgi?id=3516
--- Comment #2 from William Brown <[email protected]> --- The webauthn attestation sections are reflections of their underlying standards in most cases. However, for FIDO2 the attestation format is defined in the Webauthn standard. For FIDO2, and more specifically CTAP2, this is discussed here: https://fidoalliance.org/specs/fido-v2.1-ps-20210615/fido-client-to-authenticator-protocol-v2.1-ps-errata-20220621.html#op-makecred-step-rk """ Step 19: Generate an attestation statement for the newly-created credential using clientDataHash, taking into account the value of the enterpriseAttestation parameter, if present, as described above in Step 9. ... attStmt (0x03) ... The attestation statement, as specified in [WebAuthn]. """ Thus the document and structure I linked is the correct one. With this in mind, the lack of a clientDataHash in the attest output created by ssh-keygen means verification of an attestation is not possible as the FIDO2 device itself will be signing the concatenation of authenticatorData and clientDataHash. Since this will likely constitute a change to the attest blob format that ssh-keygen produces, this is also why I made the other suggestions to altering the format as currently the format as it stands is not able to create or validate ECDAA attestation either. -- You are receiving this mail because: You are watching the assignee of the bug. You are watching someone on the CC list of the bug. _______________________________________________ openssh-bugs mailing list [email protected] https://lists.mindrot.org/mailman/listinfo/openssh-bugs
