- From: Adam Powers via GitHub <sysbot+gh@w3.org>
- Date: Fri, 15 Jun 2018 17:00:51 +0000
- To: public-webauthn@w3.org
Step 16 of RP Operations handles my concern about not saying to validate the x5c Array; however, each attestation scheme has it's own root certificates. I have no idea where to grab the TPM root (or even if there's one root issued by TCG or each manufacturer has their own root). I'm guessing that I can probably search around for the SafetyNet root, but it sure would be nice to include a link to it in the spec.
In the SafetyNet Attestation API docs there is a section entitled [Verify the compatibility check response](https://developer.android.com/training/safetynet/attestation#verify-compat-check) that says to check the signature of the JWS... maybe a pointer to that is what is needed? @leshi
It's still not clear to me how to correlate the `ver` with the `response` to make sure the response is right. It's not like there's a `version` member inside the response payload:
``` js
{
"nonce": "lWkIjx7O4yMpVANdvRDXyuORMFonUbVZu4/Xy7IpvdRAAAAAAAAAAAAAAAAAAAAAAAAAAAAAQKglxHyfnRKAZVqiJdIqtqf4I9dx0oO6/zAO8TnDojvEZAq2DZkByI1fcoWVQEq/O3FLH5aOwzbrrxrJ65U5dYqlAQIDJiABIVggh5OJfYRDzVGIowKqU57AnoVjjdmmjGi9zlMkjAVV9DAiWCDr0iSi0viIKNPMTIdN28gWNmkcwOr6DQx66MPff3Odm+u6eJqLBl1H2S2trABHLinknsyVMPm/BNUVZ2JFlr80",
"timestampMs": 1528911634385,
"apkPackageName": "com.google.android.gms",
"apkDigestSha256": "JOC3UkslsuVz13eOpnFI9BpLoqBg9k1F6OfaPtB/GjM=",
"ctsProfileMatch": false,
"apkCertificateDigestSha256": [
"GXWy8XF3vIml3/MfnmSmyuKBpT3B0dWbHRR/4cgq+gA="
],
"basicIntegrity": false,
"advice": "RESTORE_TO_FACTORY_ROM,LOCK_BOOTLOADER"
}
```
--
GitHub Notification of comment by apowers313
Please view or discuss this issue at https://github.com/w3c/webauthn/issues/950#issuecomment-397683044 using your GitHub account
Received on Friday, 15 June 2018 17:00:54 UTC