[webauthn] Bad instructions in Android SafetyNet attestation validation steps from Shane Weeden via GitHub on 2018-07-28 (public-webauthn@w3.org from July 2018)

From: Shane Weeden via GitHub <sysbot+gh@w3.org>
Date: Sat, 28 Jul 2018 06:31:49 +0000
To: public-webauthn@w3.org
Message-ID: <issues.opened-345423747-1532759507-sysbot+gh@w3.org>

sbweeden has just created a new issue for https://github.com/w3c/webauthn:

== Bad instructions in Android SafetyNet attestation validation steps ==
In section 8.5 (https://www.w3.org/TR/webauthn/#android-safetynet-attestation) there are validation instructions for the Android SafetyNet Attestation Statement Format.

One of these states:

"Verify that the nonce in the response is identical to the concatenation of authenticatorData and clientDataHash."

This is actually wrong. The nonce actually seems to be: 
b64encode(sha256(authenticatorData + clientDataHash));

Please confirm with the Google team first, but that seems to be the needed check to me.

Please view or discuss this issue at https://github.com/w3c/webauthn/issues/1018 using your GitHub account

Received on Saturday, 28 July 2018 06:31:56 UTC