Re: [webauthn] Is android-safetynet attestation trust path limited to one cert? (#1132) from Arnar Birgisson via GitHub on 2019-01-17 (public-webauthn@w3.org from January 2019)

From: Arnar Birgisson via GitHub <sysbot+gh@w3.org>
Date: Thu, 17 Jan 2019 00:40:17 +0000
To: public-webauthn@w3.org
Message-ID: <issue_comment.created-454998300-1547685616-sysbot+gh@w3.org>

Yeah, this isn't quite ideal. Indeed x5c contains not only the certificate for the signing key of the JWS response, but the whole chain - which is definitely not limited to one cert. This may be new, since the SafetyNet response format changes from time to time, hence the version field. But I'm not quite sure actually.

So yes, the trust path should include the whole chain.

Additionally, the instructions should clarify that the hostname to check is in the leaf cert, and that (importantly) the verifier should actually verify the certificate chain. That implies verifying its signatures and that the root is trusted by the RP.

I wonder if it's best to simply refer to [SafetyNet documentation](https://developer.android.com/training/safetynet/attestation#verify-compat-check) on this, rather than chasing any potential changes there.

-- 
GitHub Notification of comment by arnar
Please view or discuss this issue at https://github.com/w3c/webauthn/issues/1132#issuecomment-454998300 using your GitHub account

Received on Thursday, 17 January 2019 00:40:19 UTC