W3C home > Mailing lists > Public > public-webauthn@w3.org > October 2017

[webauthn] Packed and U2F Attestation Statements' verifications don't differentiate between Basic and Privacy CA Attestation Types

From: J.C. Jones via GitHub <sysbot+gh@w3.org>
Date: Wed, 18 Oct 2017 22:11:20 +0000
To: public-webauthn@w3.org
Message-ID: <issues.opened-266658721-1508364678-sysbot+gh@w3.org>
jcjones has just created a new issue for https://github.com/w3c/webauthn:

== Packed and U2F Attestation Statements' verifications don't differentiate between Basic and Privacy CA Attestation Types ==
The [Packed Attestation Statement Format](https://w3c.github.io/webauthn/#packed-attestation) is valid for all Attestation Types. 

https://github.com/w3c/webauthn/blob/b8c60278ad53479d03a2247e1360c33869f58e92/index.bs#L2313-L2317

However, in its **verification procedure** it assumes that if `x5c` is present, that attestations are type `Basic`:

https://github.com/w3c/webauthn/blob/b8c60278ad53479d03a2247e1360c33869f58e92/index.bs#L2387-L2393

However, that's what the `Privacy CA` attestation will look like, too.

Similarly, it's technically feasible for a browser to use the `Privacy CA` option for U2F, and we might want to do so for - say - private browsing mode. Yet U2F Attestation Format suffers the same issue -- in addition, it excludes `Privacy CA` which seems wrong, as it'd be useful:

https://github.com/w3c/webauthn/blob/b8c60278ad53479d03a2247e1360c33869f58e92/index.bs#L2686-L2690

Please view or discuss this issue at https://github.com/w3c/webauthn/issues/656 using your GitHub account
Received on Wednesday, 18 October 2017 22:11:22 UTC

This archive was generated by hypermail 2.4.0 : Tuesday, 5 July 2022 07:26:28 UTC