[webauthn] Android key attestation missing certificate validation steps (#1167) from Bart via GitHub on 2019-03-06 (public-webauthn@w3.org from March 2019)

From: Bart via GitHub <sysbot+gh@w3.org>
Date: Wed, 06 Mar 2019 06:02:09 +0000
To: public-webauthn@w3.org
Message-ID: <issues.opened-417637246-1551852128-sysbot+gh@w3.org>

bdewater has just created a new issue for https://github.com/w3c/webauthn:

== Android key attestation missing certificate validation steps ==
This [blog post](https://medium.com/@herrjemand/webauthn-fido2-verifying-android-keystore-attestation-4a8835b33e9d) by @herrjemand mentions:

> 6. Check that root certificate(last in the chain) is set to:
> https://gist.github.com/herrjemand/a612608dfbb2bc136aba57c64ff4a04c#file-androidkey-attestation-root-pem
> At the moment of writing, Google does not publish this certificate, so this was extracted from one of the attestations.
> 7. Verify certificate path using the algorithm specified in RFC5280 section 6

and further down in the code snippet:

>  * The last certificate in x5c must match this certificate
> * This needs to be checked to ensure that malicious party wont generate fake attestations

It struck me as odd that these steps are not mentioned in the spec given these warnings.


Please view or discuss this issue at https://github.com/w3c/webauthn/issues/1167 using your GitHub account

Received on Wednesday, 6 March 2019 06:02:11 UTC