Re: [webauthn] Android SafetyNet Attestation lacks information on authenticator provenance

@equalsJeffH 

I don't think it is that simple.  The current text in https://w3c.github.io/webauthn/#android-safetynet-attestation states that the caller of the SafetyNet API is "typically an application running on the Android platform".  I assume therefore that such an application is the authenticator itself, and if the SafetyNet token cannot attest to its provenance then it is not a valid attestation.  

An alternative could be that the application in this case creates a Webauthn packed attestation, and includes the SafetyNet token as an extension.  If this is the approach necessary to satisfy the Webauthn requirements for attestation (as per the terminology section) for an Android SW authenticator, then the SafetyNet token should be removed from the list of acceptable Webauthn attestation formats.

-- 
GitHub Notification of comment by gmandyam
Please view or discuss this issue at https://github.com/w3c/webauthn/issues/438#issuecomment-299083107 using your GitHub account

Received on Thursday, 4 May 2017 02:17:09 UTC