W3C home > Mailing lists > Public > public-webauthn@w3.org > September 2017

Re: [webauthn] basicIntegrity in SafetyNet documentation not sufficiently defined

From: John Bradley via GitHub <sysbot+gh@w3.org>
Date: Fri, 08 Sep 2017 22:22:44 +0000
To: public-webauthn@w3.org
Message-ID: <issue_comment.created-328227519-1504909354-sysbot+gh@w3.org>
FYI this is a link to the Android Compatibility testing.  https://source.android.com/compatibility/

Someone from Google should comment, but in looking at saftyNet attestations for other things my conclusion was that ctsProfileMatch is required to trust the attestation.   A device that docent have that can't really be trusted.   basicIntegrity is a best effort to provide some integrity checks on uncertified devices, and not something that we should be using as a security attestation, it is in my opinion not really better than nothing as it is more likely to provide a false sense of security.  

I believe there are some large asian manufacturers that don't have CTS certification or license GMS so those would not be able to have a trusted soft authenticator, if they support NFC or BT people have other options.  

I think what we have checking ctsProfileMatch and ignoring basicIntegrity is fine.  
Better defining basicIntegrity for uncertified devices is not going to help anyone.

John B.

GitHub Notification of comment by ve7jtb
Please view or discuss this issue at https://github.com/w3c/webauthn/issues/437#issuecomment-328227519 using your GitHub account
Received on Friday, 8 September 2017 22:22:40 UTC

This archive was generated by hypermail 2.4.0 : Tuesday, 5 July 2022 07:26:27 UTC