W3C home > Mailing lists > Public > public-webauthn@w3.org > September 2016

Re: Attestation changes (was RE: [webauthn] new commits pushed by rlin1)

From: Rolf Lindemann <rlindemann@noknok.com>
Date: Wed, 14 Sep 2016 18:48:03 +0200
Message-ID: <CA+rhY9a613zY9HenzdsC1tTdNw8aTUF5vmvqqhYa50RPxz10Vw@mail.gmail.com>
To: Vijay Bharadwaj <vijaybh@microsoft.com>
Cc: "public-webauthn@w3.org" <public-webauthn@w3.org>
Hi Vijay,

I am open to further name changes.
The main reasons to add Android "N" were:
a) I think we should remove SafetyNet attestation as this attests to the
platform, but not to the authenticator.
b) Android "N" is in some sense the opposite of TPM attestation since the
level2Data is controlled by the Client and not by the Authenticator.  I
have done it in the same way as we did for the latest UAF version - with
support from the experts.

I am fine with merging it into your vgb-modular-attestation branch, I think
we want it in one branch.  Didn't want to do it without your involvement

Kind regards,

On Wed, Sep 14, 2016 at 6:34 PM, Vijay Bharadwaj <vijaybh@microsoft.com>

> Thanks very much for doing this, Rolf. I hadn't been able to finish this
> up yet unfortunately.
> I was looking at the diffs (https://github.com/w3c/
> webauthn/compare/vgb-modular-attestation...rolf-modular-
> attestation-changes) and I agree with a lot of the changes, and I think
> they make for a more consistent description of attestation overall.
> Two things I think we could discuss:
> 1. Naming - I feel like level1Data and level2Data are perhaps not
> sufficiently evocative. How do you feel about authenticatorData and
> attestedData? The former would be defined as things about the authenticator
> that might be said by anyone, and the latter is things that the
> authenticator (or its crypto kernel) actually attested to.
> 2. You added Android N attestation. Thanks for doing this - it fixes #103
> and #128, and it also provides a nice test case for adding new attestation
> types in the new structure. However, I am far from an expert on Android N,
> so perhaps someone who knows more about that could double-check the section
> for technical accuracy?
> Regarding logistics, would you be okay if I pull this into my attestation
> branch, then submit the whole merged thing as one unit once we've signed
> off as a group?
> -----Original Message-----
> From: Rolf Lindemann via GitHub [mailto:sysbot+gh@w3.org]
> Sent: Wednesday, September 14, 2016 6:55 AM
> To: public-webauthn@w3.org
> Subject: [webauthn] new commits pushed by rlin1
> The following commits were just pushed by rlin1 to
> https://github.com/w3c/webauthn:
> * more notes added
>   by rlin1
> https://github.com/w3c/webauthn/commit/7c1c58000eff2de718a01686292c0f
> 1807de1cd8
> * merged
>   by rlin1
> https://github.com/w3c/webauthn/commit/72a6e293ceff9fc8b23ea71ef068b6
> 4a1ec3c16a


*Rolf* *Lindemann*
Senior Director, Products and Technology
D  / rlindemann@noknok.com

*Nok Nok Labs Inc.*
2100 Geng Road, Suite 105
Palo Alto, CA 94303
T +1 650 433 1300

*www.noknok.com* <http://www.noknok.com>

Received on Wednesday, 14 September 2016 16:48:34 UTC

This archive was generated by hypermail 2.4.0 : Tuesday, 5 July 2022 07:26:22 UTC