W3C home > Mailing lists > Public > public-webauthn@w3.org > September 2017

Re: [webauthn] Android SafetyNet Attestation lacks information on authenticator provenance

From: John Bradley via GitHub <sysbot+gh@w3.org>
Date: Thu, 07 Sep 2017 23:33:15 +0000
To: public-webauthn@w3.org
Message-ID: <issue_comment.created-327956452-1504827186-sysbot+gh@w3.org>
The saftynet attestation gives you the identity of the app.   To turn that into something useful there needs to be a registry of authenticator apps to look up the additional meta-data.  
Safetynet is not WebAuthn specific, is ther a requirement that safetynet look up the other meta data to include in the JWT?

The app could wrap the JWT but you need to look up the app info someplace anyway to validate it.
The practical question is if you use the app hash of the developer cert and the APK name directly to look it up or hand back a name that can be looked up in the meta-data service to find cert hash and APK name to validate and get meta-data.  

I guess Google could crate a new safetynet attestation format that pulled that info in to the attestation from some service but that is not a insignificant ask.   

I know I have been asking for extensions for some time for other things in the attestation:)

John B.

GitHub Notification of comment by ve7jtb
Please view or discuss this issue at https://github.com/w3c/webauthn/issues/438#issuecomment-327956452 using your GitHub account
Received on Thursday, 7 September 2017 23:33:13 UTC

This archive was generated by hypermail 2.4.0 : Tuesday, 5 July 2022 07:26:27 UTC