- From: John Bradley via GitHub <sysbot+gh@w3.org>
- Date: Fri, 08 Sep 2017 22:22:44 +0000
- To: public-webauthn@w3.org
FYI this is a link to the Android Compatibility testing. https://source.android.com/compatibility/ Someone from Google should comment, but in looking at saftyNet attestations for other things my conclusion was that ctsProfileMatch is required to trust the attestation. A device that docent have that can't really be trusted. basicIntegrity is a best effort to provide some integrity checks on uncertified devices, and not something that we should be using as a security attestation, it is in my opinion not really better than nothing as it is more likely to provide a false sense of security. I believe there are some large asian manufacturers that don't have CTS certification or license GMS so those would not be able to have a trusted soft authenticator, if they support NFC or BT people have other options. I think what we have checking ctsProfileMatch and ignoring basicIntegrity is fine. Better defining basicIntegrity for uncertified devices is not going to help anyone. John B. -- GitHub Notification of comment by ve7jtb Please view or discuss this issue at https://github.com/w3c/webauthn/issues/437#issuecomment-328227519 using your GitHub account
Received on Friday, 8 September 2017 22:22:40 UTC