Re: [webauthn] Refer android-safetynet verification to SafetyNet documentation? (#1135) from Emil Lundberg via GitHub on 2019-01-17 (public-webauthn@w3.org from January 2019)

From: Emil Lundberg via GitHub <sysbot+gh@w3.org>
Date: Thu, 17 Jan 2019 11:54:07 +0000
To: public-webauthn@w3.org
Message-ID: <issue_comment.created-455145947-1547726046-sysbot+gh@w3.org>

I personally have no strong opinion either way on this. Reducing duplication is always nice, but I also find it difficult to find precise instructions in the SafetyNet documentation on how to verify the attestation statement offline - it seems like the target audience for the documentation is mainly Android app developers rather than cryptographic protocol implementers, as the primary option for verification seems to be to contact an online verification service. It's possible to piece together most of our [android-safetynet](https://w3c.github.io/webauthn/#android-safetynet-attestation) verification procedure from the [source code samples](https://github.com/googlesamples/android-play-safetynet/tree/master/server), except they don't do our verification of the `ctsProfileMatch` attribute.

-- 
GitHub Notification of comment by emlun
Please view or discuss this issue at https://github.com/w3c/webauthn/issues/1135#issuecomment-455145947 using your GitHub account

Received on Thursday, 17 January 2019 11:54:09 UTC