Android Key Attestation is "Self Attestation" ? from Hodges, Jeff on 2016-10-24 (public-webauthn@w3.org from October 2016)

From: Hodges, Jeff <jeff.hodges@paypal.com>
Date: Mon, 24 Oct 2016 21:40:24 +0000
To: W3C WebAuthn WG <public-webauthn@w3.org>
Message-ID: <D433CDD3.D96F4%jehodges@paypalcorp.com>

in S 6.4 "Android Key Attestation Format" {#android-key-attestation}
(master branch commit 1eebeed), there is this bullet item in the
"Verification procedure" subsection..

  * Verify that the public key in the attestation certificate matches the
    credential public key in the attestation data field of the given
    authenticatorData.

..which implies (to me) that Android Key Attestation is "Self Attestation"
(because the the attested public key is the same as the cred public key,
which implies the attestation sig was done using the cred private key)

Is this correct, i.e., Android Key Attestation is "Self Attestation" ?

thanks,

=JeffH

Attachments

text/html attachment: default.html

Received on Monday, 24 October 2016 21:41:10 UTC