[webauthn] Packed and U2F Attestation Statements' verifications don't differentiate between Basic and Privacy CA Attestation Types from J.C. Jones via GitHub on 2017-10-18 (public-webauthn@w3.org from October 2017)

From: J.C. Jones via GitHub <sysbot+gh@w3.org>
Date: Wed, 18 Oct 2017 22:11:20 +0000
To: public-webauthn@w3.org
Message-ID: <issues.opened-266658721-1508364678-sysbot+gh@w3.org>

jcjones has just created a new issue for https://github.com/w3c/webauthn:

== Packed and U2F Attestation Statements' verifications don't differentiate between Basic and Privacy CA Attestation Types ==
The [Packed Attestation Statement Format](https://w3c.github.io/webauthn/#packed-attestation) is valid for all Attestation Types. 

https://github.com/w3c/webauthn/blob/b8c60278ad53479d03a2247e1360c33869f58e92/index.bs#L2313-L2317

However, in its **verification procedure** it assumes that if `x5c` is present, that attestations are type `Basic`:

https://github.com/w3c/webauthn/blob/b8c60278ad53479d03a2247e1360c33869f58e92/index.bs#L2387-L2393

However, that's what the `Privacy CA` attestation will look like, too.

Similarly, it's technically feasible for a browser to use the `Privacy CA` option for U2F, and we might want to do so for - say - private browsing mode. Yet U2F Attestation Format suffers the same issue -- in addition, it excludes `Privacy CA` which seems wrong, as it'd be useful:

https://github.com/w3c/webauthn/blob/b8c60278ad53479d03a2247e1360c33869f58e92/index.bs#L2686-L2690

Please view or discuss this issue at https://github.com/w3c/webauthn/issues/656 using your GitHub account

Received on Wednesday, 18 October 2017 22:11:22 UTC