W3C home > Mailing lists > Public > public-webauthn@w3.org > September 2017

Re: [webauthn] basicIntegrity in SafetyNet documentation not sufficiently defined

From: Jeffrey Yasskin via GitHub <sysbot+gh@w3.org>
Date: Fri, 08 Sep 2017 21:35:54 +0000
To: public-webauthn@w3.org
Message-ID: <issue_comment.created-328219592-1504906544-sysbot+gh@w3.org>
3 thoughts. Note that I'm not involved in defining that field, and I don't have an opinion on whether SafetyNet needs to be in the pre-registered attestation format:
1. https://developer.android.com/training/safetynet/attestation.html#possible-results elaborates on what kinds of circumstances result in `basicIntegrity` being true or false. Does that help at all?

2. This resembles some anti-malware efforts I've looked at, where if you're too precise about what makes something malware or if you freeze the definition, that allows malware to circumvent the protection.

3. The Verification Procedure in https://w3c.github.io/webauthn/#android-safetynet-attestation says to check the `ctsProfileMatch` field, not the `basicIntegrity` field, so maybe it doesn't matter if `basicIntegrity` is badly-specified.

-- 
GitHub Notification of comment by jyasskin
Please view or discuss this issue at https://github.com/w3c/webauthn/issues/437#issuecomment-328219592 using your GitHub account
Received on Friday, 8 September 2017 21:35:52 UTC

This archive was generated by hypermail 2.4.0 : Tuesday, 5 July 2022 07:26:27 UTC