Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Add compound attestation format #1950

Merged
merged 11 commits into from
Oct 6, 2023
29 changes: 29 additions & 0 deletions index.bs
Original file line number Diff line number Diff line change
Expand Up @@ -6264,6 +6264,35 @@ This attestation statement format is exclusively used by Apple for certain types
5. Verify that the [=credential public key=] equals the Subject Public Key of |credCert|.
6. If successful, return implementation-specific values representing attestation type [=Anonymization CA=] and attestation trust path |x5c|.

## Compound Attestation Statement Format ## {#sctn-compound-attestation}

The "compound" attestation statement format is used to pass multiple, self-contained attestation statements in a single ceremony.


: Attestation statement format identifier
:: compound

: Attestation types supported
:: Any. See [[#sctn-attestation-types]].

: Syntax
:: The syntax of a compound attestation statement is defined as follows:

```
$$attStmtType //= (
fmt: "compound",
attStmt: [2* nonCompoundAttStmt]
)

nonCompoundAttStmt = { $$attStmtType } .within { fmt: text .ne "compound" }
```

: Signing procedure
:: Not applicable

: Verification procedure
:: For every element in the array, validate the attestation statement based on the verification procedure specified for that format (using the `fmt` identifier). If validation fails for one or more compound attestation statements, [=[RPS]=] should decide the appropriate results based on policy from information they have about the [=authenticators=].
timcappalli marked this conversation as resolved.
Show resolved Hide resolved

# <dfn>WebAuthn Extensions</dfn> # {#sctn-extensions}

The mechanism for generating [=public key credentials=], as well as requesting and generating Authentication assertions, as
Expand Down
Loading