W3C home > Mailing lists > Public > public-webauthn@w3.org > August 2018

Re: [webauthn] SafetyNet response as an extension

From: Christiaan Brand via GitHub <sysbot+gh@w3.org>
Date: Wed, 01 Aug 2018 17:58:28 +0000
To: public-webauthn@w3.org
Message-ID: <issue_comment.created-409665486-1533146308-sysbot+gh@w3.org>
I'm not sure that the comments here are really relevant to the core issue: SafetyNet is suppose to give an RP *some* idea about the level of risk involved with trusting a key attested to in this fashion. I believe it does just that. RPs are free to make their own risk decisions when getting this attestation type. SafetyNet also continuously evolves, and the "attacks" folks refer to here might already mostly be mitigated.

Yes, I agree that in a perfect world it might make sense to have an extension that talks about "platform integrity" but this is just not something we can commit to at this point.

I vote for this staying as a form of attestation.

-- 
GitHub Notification of comment by christiaanbrand
Please view or discuss this issue at https://github.com/w3c/webauthn/issues/1011#issuecomment-409665486 using your GitHub account
Received on Wednesday, 1 August 2018 17:58:41 UTC

This archive was generated by hypermail 2.4.0 : Friday, 17 January 2020 18:58:53 UTC