Hacker Newsnew | past | comments | ask | show | jobs | submitlogin

Yes. You can intercept the navigator.credentials.get call and look at the signature format.

I did this and it seems to be an ECDSA p-256 signature.



Limited knowledge on the protocol, but if they’re wrapping/encrypting and then signing the key, how would one know what key is being sent to Apple?


I've only looked at the signature-side of things in web.

You can't enroll the keys through the WebUI; only use them. So enrollment is happening in the iPhone app. They use WebAuthn; an open standard for public key signatures.

I suppose the iPhone app uses https://developer.apple.com/documentation/authenticationserv... for key creation. As that's the native counterpart for creating WebAuthn keys

The only supported key-algorithm for this API is https://developer.apple.com/documentation/authenticationserv... (ES256). so I'm 99% sure they are indeed using ES256 keys




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: