W3C home > Mailing lists > Public > public-webauthn@w3.org > October 2016

Android Key Attestation is "Self Attestation" ?

From: Hodges, Jeff <jeff.hodges@paypal.com>
Date: Mon, 24 Oct 2016 21:40:24 +0000
To: W3C WebAuthn WG <public-webauthn@w3.org>
Message-ID: <D433CDD3.D96F4%jehodges@paypalcorp.com> 
in S 6.4 "Android Key Attestation Format" {#android-key-attestation}
(master branch commit 1eebeed), there is this bullet item in the
"Verification procedure" subsection..

  * Verify that the public key in the attestation certificate matches the
    credential public key in the attestation data field of the given
    authenticatorData.

..which implies (to me) that Android Key Attestation is "Self Attestation"
(because the the attested public key is the same as the cred public key,
which implies the attestation sig was done using the cred private key)

Is this correct, i.e., Android Key Attestation is "Self Attestation" ?

thanks,

=JeffH
Received on Monday, 24 October 2016 21:41:10 UTC

This archive was generated by hypermail 2.4.0 : Thursday, 24 March 2022 20:38:18 UTC