[webkit-reviews] review granted: [Bug 217945] [WebAuthn] Determine an AAGUID for the platform authenticators : [Attachment 413150] Patch

bugzilla-daemon at webkit.org bugzilla-daemon at webkit.org
Wed Nov 4 13:52:53 PST 2020


Brent Fulgham <bfulgham at webkit.org> has granted Jiewen Tan
<jiewen_tan at apple.com>'s request for review:
Bug 217945: [WebAuthn] Determine an AAGUID for the platform authenticators
https://bugs.webkit.org/show_bug.cgi?id=217945

Attachment 413150: Patch

https://bugs.webkit.org/attachment.cgi?id=413150&action=review




--- Comment #5 from Brent Fulgham <bfulgham at webkit.org> ---
Comment on attachment 413150
  --> https://bugs.webkit.org/attachment.cgi?id=413150
Patch

View in context: https://bugs.webkit.org/attachment.cgi?id=413150&action=review

This looks good to me, but I'd like you to double-check the none-attestation
case before we land.

> Source/WebKit/ChangeLog:9
> +	   The AAGUID is randomly generated by CCRandomGenerateBytes.

I think we should say:

"Relying parties use the AAGUID to recognize supported authenticators. Using a
NULL AAGUID blocks them from recognizing Apple products as valid
WebAuthentication targets. We need to assign ourselves a GUID representing
Apple authenticators, then publish with our attestation certificate and with
the FIDO Alliance."

It would also be good to reference the communication to the FIDO alliance
documenting this GUID (not sure if this would be a pull request, or how that
works).

> Source/WebKit/UIProcess/WebAuthentication/Cocoa/LocalAuthenticator.mm:373
> +	   auto authData = buildAuthData(creationOptions.rp.id,
makeCredentialFlags, counter,
buildAttestedCredentialData(Vector<uint8_t>(aaguidLength, 0), credentialId,
cosePublicKey));

Do we not want to indicate that we are an Apple authenticator for the
none-attestation case? From Frederic Jahn's bug report, it sounds like this is
needed to decide whether they allow our authenticator at all.

If you aren't sure, can you check with Frederic?


More information about the webkit-reviews mailing list