W3C home > Mailing lists > Public > public-webauthn@w3.org > May 2017

Re: [webauthn] Android SafetyNet Attestation lacks information on authenticator provenance

From: gmandyam via GitHub <sysbot+gh@w3.org>
Date: Thu, 04 May 2017 02:17:03 +0000
To: public-webauthn@w3.org
Message-ID: <issue_comment.created-299083107-1493864221-sysbot+gh@w3.org>
@equalsJeffH 

I don't think it is that simple.  The current text in https://w3c.github.io/webauthn/#android-safetynet-attestation states that the caller of the SafetyNet API is "typically an application running on the Android platform".  I assume therefore that such an application is the authenticator itself, and if the SafetyNet token cannot attest to its provenance then it is not a valid attestation.  

An alternative could be that the application in this case creates a Webauthn packed attestation, and includes the SafetyNet token as an extension.  If this is the approach necessary to satisfy the Webauthn requirements for attestation (as per the terminology section) for an Android SW authenticator, then the SafetyNet token should be removed from the list of acceptable Webauthn attestation formats.

-- 
GitHub Notification of comment by gmandyam
Please view or discuss this issue at https://github.com/w3c/webauthn/issues/438#issuecomment-299083107 using your GitHub account
Received on Thursday, 4 May 2017 02:17:09 UTC

This archive was generated by hypermail 2.4.0 : Tuesday, 5 July 2022 07:26:25 UTC