1 of 1

s

(content and format is specific to attestation type)

Obtain user�consent,�generate:�key k_pub �key k_priv�cred.id;�Marshall authenticatorData (aD),

store k_priv and rpId;

Derive rpId from callerOrigin (cO), �normalize cP, �process cE into extResult, �obtain TokenBindingID (TBID):

Authenticator

User Agent�WebAuthn API

Relying Party

attestationChallenge (aC), �cryptoParameters (cP),

accountInformation (aInfo), �credentialExtensions (cE), ...

aC, cO, cP.alg, TBID, extResult, rpID, aInfo, cP.type, etc...

c

cred{ id, type }, k_pub, attstn{ atType, c, { aD, cert, sig(..., k_pub, ...) } }

cred{ id, type }, k_pub, attstn{ atType, c, { aD, cert, s } }

Verify signed objects as approp; store:�key k_pub cred.id

Registration

( possibly plus ambient authn, e.g., a cookie )