- From: Emil Lundberg via GitHub <sysbot+gh@w3.org>
- Date: Fri, 15 Jun 2018 16:34:51 +0000
- To: public-webauthn@w3.org
>- Doesn't mention to validate the x5c chain or where to find the root of trust This is done separately in the [RP Operations][rp-reg]: >15. If validation is successful, obtain a list of acceptable trust anchors (attestation root certificates or ECDAA-Issuer public keys) for that attestation type and attestation statement format fmt, from a trusted source or from policy. For example, the FIDO Metadata Service [FIDOMetadataService] provides one way to obtain such information, using the aaguid in the attestedCredentialData in _authData_. > >16. Assess the attestation trustworthiness using the outputs of the verification procedure in step 14, as follows: > - If self attestation was used, check if self attestation is acceptable under Relying Party policy. > - If ECDAA was used, verify that the identifier of the ECDAA-Issuer public key used is included in the set of acceptable trust anchors obtained in step 15. > - Otherwise, use the X.509 certificates returned by the verification procedure to verify that the attestation public key correctly chains up to an acceptable root certificate. --- >Statements like `Verify that x5c` or `If x5c contains an extension` are unclear whether they are referring to "attestation public key in x5c" or "all certificates in x5c". Agreed. >Doesn't mention to validate the JWS signature I know almost nothing about Android SafetyNet, but I _think_ that might be implied by the verification procedure step "Verify that _response_ is a valid SafetyNet response of version _ver_.". [rp-reg]: https://www.w3.org/TR/webauthn/#registering-a-new-credential -- GitHub Notification of comment by emlun Please view or discuss this issue at https://github.com/w3c/webauthn/issues/950#issuecomment-397676091 using your GitHub account
Received on Friday, 15 June 2018 16:35:09 UTC