[webauthn] Ambiguous instructions in Android Key Attestation Statement Format verification procedure

sbweeden has just created a new issue for https://github.com/w3c/webauthn:

== Ambiguous instructions in Android Key Attestation Statement Format verification procedure ==
According to: https://w3c.github.io/webauthn/#android-key-attestation

The verification procedure includes a number of instructions related to processing attestation certificate extension data. 

1. It would be useful to point out that this extension data is oid: "1.3.6.1.4.1.11129.2.1.17"
2. Some verification procedure instructions refer to AuthorizationList:
  - The AuthorizationList.allApplications field is not present, since PublicKeyCredential MUST be bound 
to the RP ID.
  - The value in the AuthorizationList.origin field is equal to KM_TAG_GENERATED.
  - The value in the AuthorizationList.purpose field is equal to KM_PURPOSE_SIGN.

According to the information available at: https://source.android.com/security/keystore/attestation#id-attestation  there are actually TWO AuthorizationList elements within a KeyDescription.

These are:
- softwareEnforced
- teeEnforced

It is ambiguous as to which (or any, or both) of these AuthorizationList objects should be checked for the indicated attributes.

>From parsing a test message, I found:
 -  allApplications is in neither (that's ok)
 - origin is in teeEnforced, but not in softwareEnforced
 - purpose appeared in neither (this seems like either a bad attestation test message, or bad advice to check for it)

The specific AuthorizationList(s) to check should be indicated in the verification procedure for these attributes.

Please view or discuss this issue at https://github.com/w3c/webauthn/issues/1022 using your GitHub account

Received on Thursday, 2 August 2018 12:59:09 UTC