W3C home > Mailing lists > Public > public-webauthn@w3.org > September 2017

Re: [webauthn] basicIntegrity in SafetyNet documentation not sufficiently defined

From: John Bradley via GitHub <sysbot+gh@w3.org>
Date: Fri, 08 Sep 2017 22:22:44 +0000
To: public-webauthn@w3.org
Message-ID: <issue_comment.created-328227519-1504909354-sysbot+gh@w3.org>
FYI this is a link to the Android Compatibility testing.  https://source.android.com/compatibility/

Someone from Google should comment, but in looking at saftyNet attestations for other things my conclusion was that ctsProfileMatch is required to trust the attestation.   A device that docent have that can't really be trusted.   basicIntegrity is a best effort to provide some integrity checks on uncertified devices, and not something that we should be using as a security attestation, it is in my opinion not really better than nothing as it is more likely to provide a false sense of security.  

I believe there are some large asian manufacturers that don't have CTS certification or license GMS so those would not be able to have a trusted soft authenticator, if they support NFC or BT people have other options.  

I think what we have checking ctsProfileMatch and ignoring basicIntegrity is fine.  
Better defining basicIntegrity for uncertified devices is not going to help anyone.

John B.


-- 
GitHub Notification of comment by ve7jtb
Please view or discuss this issue at https://github.com/w3c/webauthn/issues/437#issuecomment-328227519 using your GitHub account
Received on Friday, 8 September 2017 22:22:40 UTC

This archive was generated by hypermail 2.4.0 : Tuesday, 5 July 2022 07:26:27 UTC