Comments (7)
Firstyear
commented on September 15, 2024
I think the major tasks outstanding here are:
- TPM attestation
- Android Attestation
- RS384, RS512, PS*, ECDSA_384, ECDSA_512, and ED25519 crypto
- Extensions
I think once those are implemented, we'd be most of the way there, then it will be a case of running the conformance suite to catch anything we missed. We should consider that any test we fail can become a test vector within the codebase to ensure continued conformance.
from webauthn-rs.
Firstyear
commented on September 15, 2024
Okay, interestingly due to the recent security discoveries with regard to userVerification me may not be able to pass the FIDO conformance suite. I would prefer to be "correct" that "conformant" in this case, but we'll see how it goes during the test.
from webauthn-rs.
madwizard-thomas
commented on September 15, 2024
The FIDO conformance tests do not always align with the WebAuthn spec. One issue I came across is that the conformance tests do not require user presence (UP) to be always set (they call it 'silent authentication' which WebAuthn does not allow), while WebAuthn is clear about this. To solve these kind of issues I used a policy/config object that allows to toggle such behavior (eg setUserPresenceRequired, while sticking to the WebAuthn spec rather than FIDO by default). Also I have come across a fair amount of bugs in the conformance tests as well.
from webauthn-rs.
Firstyear
commented on September 15, 2024
Hmmm that's an interesting thought. We could have a 'fidoConformance' flag that we toggle if it's required to change some behaviour (but off by default) especially if we deviate from the conformance tests.
from webauthn-rs.
madwizard-thomas
commented on September 15, 2024
Is there an executable to test webauthn-rs with the conformance tests already?
from webauthn-rs.
Firstyear
commented on September 15, 2024
No, we don't currently have that. It would be interesting for certain to port the conformance tests into our test suite to execute them there automatically, but so far it's not been a critical issue as most people care more the library working :)
from webauthn-rs.
Firstyear
commented on September 15, 2024
It's unclear if we'll ever be able to do or bother to do this, and no one seems to care much if it's compliant anyway
from webauthn-rs.
Related Issues (20)
- Application stops without any error message in build phase when running in docker container HOT 12
- Start the flow without creating unique_user_id? HOT 1
- Actix tutorial fails to finish registration in Safari HOT 3
- Google Titan Security Key USB-C/NFC fails some compatibility tests HOT 9
- Add EdDSA capabilities HOT 13
- Verifying CredentialID has not been previously registered and updating credential HOT 38
- Conditional compilation of webauthn_rs_core::attestation::verify_attestation_ca_chain HOT 5
- No getTransports when attesting a security key HOT 3
- [Discussion] What order should COSEAlgorithms be in secure_algs and all_possible_algs?
- Fixup clippy 1.75 lints (get_first)
- `name` and `displayName` validation of empty strings leads to `InvalidUsername HOT 6
- CredProps::rk should be public HOT 1
- `libssl.so.1.1` no such file or directory HOT 1
- Pure Rust cryptography backend HOT 5
- Build breaks on MSRV due to transitive dependency on bumpalo which exceeds our MSRV
- Missing enum variant of `AuthenticatorTransport` causes error on android HOT 2
- `danger_set_user_presence_only_security_keys()` seems not to be working HOT 2
- Dependency on old compact_jwt revision HOT 1
- Hybrid Transport (caBLE): State-assisted Transactions
- Server-side WASM support HOT 5
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from webauthn-rs.