[webauthn] Add acceptable trust anchors to AuthenticatorSelectionCriteria from Jeffrey Yasskin via GitHub on 2017-05-11 (public-webauthn@w3.org from May 2017)

From: Jeffrey Yasskin via GitHub <sysbot+gh@w3.org>
Date: Thu, 11 May 2017 19:31:38 +0000
To: public-webauthn@w3.org
Message-ID: <issues.opened-228097099-1494531096-sysbot+gh@w3.org>

jyasskin has just created a new issue for https://github.com/w3c/webauthn:

== Add acceptable trust anchors to AuthenticatorSelectionCriteria ==
In order to accept a created credential, Relying Parties are told in [Registering a new credential](https://w3c.github.io/webauthn/#registering-a-new-credential) to:
> 12. Assess the attestation trustworthiness using the outputs of the verification procedure in step 10, as follows:
>     * If self-attestation was used, check if self-attestation is acceptable under Relying Party policy.
>     * If ECDAA was used, verify that the identifier of the ECDAA-Issuer public key used is included in the set of acceptable trust anchors obtained in step 11.
>     * Otherwise, use the X.509 certificates returned by the verification procedure to verify that the attestation public key correctly chains up to an acceptable root certificate.

However, without an addition to the [AuthenticatorSelectionCriteria](https://w3c.github.io/webauthn/#authenticatorSelection), the user can't get any indication from their Client about which authenticators will be attested by an acceptable trust anchor.

@gmandyam's issues #445, #446, and #447 all depend on this, since the RP can't trust any of those protection claims without a trusted attestation.

Please view or discuss this issue at https://github.com/w3c/webauthn/issues/461 using your GitHub account

Received on Thursday, 11 May 2017 19:31:45 UTC