Re: [webauthn] U2F Attestation only lists Basic Attestation as supported from Emil Lundberg via GitHub on 2017-09-11 (public-webauthn@w3.org from September 2017)

From: Emil Lundberg via GitHub <sysbot+gh@w3.org>
Date: Mon, 11 Sep 2017 11:12:45 +0000
To: public-webauthn@w3.org
Message-ID: <issue_comment.created-328498164-1505128356-sysbot+gh@w3.org>

Now the spec instead doesn't say how to detect when the `fido-u2f` attestation statement format uses self attestation. It seems like that would be when `attStmt.x5c[0]` is self-signed, correct? Either way I think the verification procedure in [§7.6][1] should make some mention of self attestation, as currently

- the only occurence of the word "self" in §7.6 is in the list of supported attestation types; and
- the final step of the verification procedure says to always return attestation type Basic. While this is technically correct as the returned `x5c` is indeed the entire trust path, it is confusing.

[1]: https://www.w3.org/TR/webauthn/#fido-u2f-attestation


-- 
GitHub Notification of comment by emlun
Please view or discuss this issue at https://github.com/w3c/webauthn/issues/392#issuecomment-328498164 using your GitHub account

Received on Monday, 11 September 2017 11:12:39 UTC