[webauthn] Define how to verify the attestation certificate

jyasskin has just created a new issue for https://github.com/w3c/webauthn:

== Define how to verify the attestation certificate ==
https://w3c.github.io/webauthn/#registering-a-new-credential says
> Use the X.509 certificates returned by the verification procedure to verify that the attestation public key correctly chains up to an acceptable root certificate.

@sahf says that leaves a bunch of questions unanswered:

1. Should the RP honor the validity dates in the attestation certificate? If so, how should the user be told that his token is too old to be used?
1. Should the RP honor the "critical" bit for X.509 extensions, meaning that it should refuse to register in the case where a token sends a critical extension that is not understood?
1. May a token return a chain consisting of multiple certificates, and if so, may the RP build a different chain than the one that was supplied?
1. May/should the RP consult any of the standard revocation mechanisms specified in the certificate, such as a CRL or OCSP responder?
1. …

We might be able to start by referring to https://tools.ietf.org/html/rfc5280#section-6, but I think that still leaves a bunch of the above questions open, and isn't the most helpful format for RPs trying to write an implementation.

I've marked this low priority because we may want to discourage RPs from checking certificate validity at all (#576), in which case most of them won't care about the details of how to check the certificate. 

Please view or discuss this issue at https://github.com/w3c/webauthn/issues/605 using your GitHub account

Received on Wednesday, 4 October 2017 03:23:58 UTC