Re: [webauthn] SafetyNet response as an extension

I'm not sure that the comments here are really relevant to the core issue: SafetyNet is suppose to give an RP *some* idea about the level of risk involved with trusting a key attested to in this fashion. I believe it does just that. RPs are free to make their own risk decisions when getting this attestation type. SafetyNet also continuously evolves, and the "attacks" folks refer to here might already mostly be mitigated.

Yes, I agree that in a perfect world it might make sense to have an extension that talks about "platform integrity" but this is just not something we can commit to at this point.

I vote for this staying as a form of attestation.

-- 
GitHub Notification of comment by christiaanbrand
Please view or discuss this issue at https://github.com/w3c/webauthn/issues/1011#issuecomment-409665486 using your GitHub account

Received on Wednesday, 1 August 2018 17:58:41 UTC