W3C home > Mailing lists > Public > public-webauthn@w3.org > October 2016

RE: Android Key Attestation is "Self Attestation" ?

From: Vijay Bharadwaj <vijaybh@microsoft.com>
Date: Wed, 26 Oct 2016 18:00:27 +0000
To: "Hodges, Jeff" <jeff.hodges@paypal.com>, W3C WebAuthn WG <public-webauthn@w3.org>
Message-ID: <49d808e5c46c429eac307cf6f42fea62@microsoft.com>
No, sorry, that text is confusing.

AIUI the Android Key Attestation signature is itself in the form of an X.509 certificate. This certificate contains the credential public key and is signed by the attesting key. This public key (the one inside the signature-which-looks-like-a-certificate) is what's being talked about here.

-----Original Message-----
From: Hodges, Jeff [mailto:jeff.hodges@paypal.com] 
Sent: Monday, October 24, 2016 2:40 PM
To: W3C WebAuthn WG <public-webauthn@w3.org>
Subject: Android Key Attestation is "Self Attestation" ?

in S 6.4 "Android Key Attestation Format" {#android-key-attestation} (master branch commit 1eebeed), there is this bullet item in the "Verification procedure" subsection..

  * Verify that the public key in the attestation certificate matches the
    credential public key in the attestation data field of the given
    authenticatorData.

..which implies (to me) that Android Key Attestation is "Self Attestation"
(because the the attested public key is the same as the cred public key, which implies the attestation sig was done using the cred private key)

Is this correct, i.e., Android Key Attestation is "Self Attestation" ?

thanks,

=JeffH
Received on Wednesday, 26 October 2016 18:01:14 UTC

This archive was generated by hypermail 2.4.0 : Thursday, 24 March 2022 20:38:18 UTC