RE: Android Key Attestation is "Self Attestation" ?

No, sorry, that text is confusing.

AIUI the Android Key Attestation signature is itself in the form of an X.509 certificate. This certificate contains the credential public key and is signed by the attesting key. This public key (the one inside the signature-which-looks-like-a-certificate) is what's being talked about here.

-----Original Message-----
From: Hodges, Jeff [mailto:jeff.hodges@paypal.com] 
Sent: Monday, October 24, 2016 2:40 PM
To: W3C WebAuthn WG <public-webauthn@w3.org>
Subject: Android Key Attestation is "Self Attestation" ?

in S 6.4 "Android Key Attestation Format" {#android-key-attestation} (master branch commit 1eebeed), there is this bullet item in the "Verification procedure" subsection..

  * Verify that the public key in the attestation certificate matches the
    credential public key in the attestation data field of the given
    authenticatorData.

..which implies (to me) that Android Key Attestation is "Self Attestation"
(because the the attested public key is the same as the cred public key, which implies the attestation sig was done using the cred private key)

Is this correct, i.e., Android Key Attestation is "Self Attestation" ?

thanks,

=JeffH

Received on Wednesday, 26 October 2016 18:01:14 UTC