Re: [webauthn] basicIntegrity in SafetyNet documentation not sufficiently defined from Jeffrey Yasskin via GitHub on 2017-09-08 (public-webauthn@w3.org from September 2017)

From: Jeffrey Yasskin via GitHub <sysbot+gh@w3.org>
Date: Fri, 08 Sep 2017 21:35:54 +0000
To: public-webauthn@w3.org
Message-ID: <issue_comment.created-328219592-1504906544-sysbot+gh@w3.org>

3 thoughts. Note that I'm not involved in defining that field, and I don't have an opinion on whether SafetyNet needs to be in the pre-registered attestation format:
1. https://developer.android.com/training/safetynet/attestation.html#possible-results elaborates on what kinds of circumstances result in `basicIntegrity` being true or false. Does that help at all?

2. This resembles some anti-malware efforts I've looked at, where if you're too precise about what makes something malware or if you freeze the definition, that allows malware to circumvent the protection.

3. The Verification Procedure in https://w3c.github.io/webauthn/#android-safetynet-attestation says to check the `ctsProfileMatch` field, not the `basicIntegrity` field, so maybe it doesn't matter if `basicIntegrity` is badly-specified.

-- 
GitHub Notification of comment by jyasskin
Please view or discuss this issue at https://github.com/w3c/webauthn/issues/437#issuecomment-328219592 using your GitHub account

Received on Friday, 8 September 2017 21:35:52 UTC