Basic Signature Validation - Possible?

[cyberphone]

Pardon my "n00b" status when it comes to FIDO servers...

According to https://w3c.github.io/webauthn/images/fido-signature-formats-figure2.svg:

the signed data consists of two parts.

Question: I have an application which depends on `clientDataHash'. Is there any way using your server (hopefully unmodified) and even better, the simulator as well that permit this? I.e. there would be no server-generated challenge, just signed data coming from a CTAP2 compatible client.

[max-smyth]

Not sure I understand, Anders. Without a server challenge, ColectedClientData <https://www.w3.org/TR/webauthn-2/#dictdef-collectedclientdata> would not make sense to a FIDO server trying to verify a response from a client - the server would have no way of knowing if the response was coming from a User whose digital signature it could trust and verify. Perhaps, you can explain the larger context of what you're trying to achieve?

…

On 4/5/21 8:04 AM, Anders Rundgren wrote: Pardon my "n00b" status when it comes to FIDO servers... According to https://w3c.github.io/webauthn/images/fido-signature-formats-figure2.svg <https://w3c.github.io/webauthn/images/fido-signature-formats-figure2.svg>: fido <https://camo.githubusercontent.com/143cb72add2e96707d29c5c8f19d3e4cc434cb5f335b1097b212d2ed5cec72d4/68747470733a2f2f7733632e6769746875622e696f2f776562617574686e2f696d616765732f6669646f2d7369676e61747572652d666f726d6174732d666967757265322e737667> the signature consists of two parts. Question: I have an application which depends on `clientDataHash'. Is there any way using your server (hopefully unmodified) and even better, the simulator as well that permit this? I.e. there would be no server-generated challenge, just signed data coming from a CTAP2 compatible client. — You are receiving this because you are subscribed to this thread. Reply to this email directly, view it on GitHub <#99>, or unsubscribe <https://github.com/notifications/unsubscribe-auth/ALLPGO2J5FS4AAVR6JS2AA3THHGRVANCNFSM42M6GGRQ>.

[cyberphone]

Thanx Max for the quick response!
My application is not compliant with WebAuthn but (hopefully) with FIDO2/CTAP2.

Imagine a FIDO2 client that hashes a JSON object like:

  {
     "toPay": "$100.00"
  }

Result: b6 f0 85 c7 9a 3b 06 06 85 3e 12 89 d0 3a c3 8d cc 6a cf c3 df f4 11 99 cb 2a cc 2f 5b 73 f1 bc

This would then be used as clientDataHash in a local FIDO2 signature process.

A verifier has the original JSON object and hashes it as well. Now it wants to know if the received signature validates. The signer is supposed to provide the information required to identify the key like userid.

The idea is creating a functional equivalent to an EMV card.

https://fido-web-pay.github.io/

[cyberphone]

https://github.com/rsolomakhin/secure-payment-confirmation/issues/40#issuecomment-780156203