W3C home > Mailing lists > Public > public-webauthn@w3.org > June 2018

Re: [webauthn] Attestation validation issues

From: Emil Lundberg via GitHub <sysbot+gh@w3.org>
Date: Fri, 15 Jun 2018 16:34:51 +0000
To: public-webauthn@w3.org
Message-ID: <issue_comment.created-397676091-1529080489-sysbot+gh@w3.org>
>- Doesn't mention to validate the x5c chain or where to find the root of trust

This is done separately in the [RP Operations][rp-reg]:

>15. If validation is successful, obtain a list of acceptable trust anchors (attestation root certificates or ECDAA-Issuer public keys) for that attestation type and attestation statement format fmt, from a trusted source or from policy. For example, the FIDO Metadata Service [FIDOMetadataService] provides one way to obtain such information, using the aaguid in the attestedCredentialData in _authData_.
>16. Assess the attestation trustworthiness using the outputs of the verification procedure in step 14, as follows:
>     - If self attestation was used, check if self attestation is acceptable under Relying Party policy.
>     - If ECDAA was used, verify that the identifier of the ECDAA-Issuer public key used is included in the set of acceptable trust anchors obtained in step 15.
>     - Otherwise, use the X.509 certificates returned by the verification procedure to verify that the attestation public key correctly chains up to an acceptable root certificate.


>Statements like `Verify that x5c` or `If x5c contains an extension` are unclear whether they are referring to "attestation public key in x5c" or "all certificates in x5c".


>Doesn't mention to validate the JWS signature

I know almost nothing about Android SafetyNet, but I _think_ that might be implied by the verification procedure step "Verify that _response_ is a valid SafetyNet response of version _ver_.".

[rp-reg]: https://www.w3.org/TR/webauthn/#registering-a-new-credential

GitHub Notification of comment by emlun
Please view or discuss this issue at https://github.com/w3c/webauthn/issues/950#issuecomment-397676091 using your GitHub account
Received on Friday, 15 June 2018 16:35:09 UTC

This archive was generated by hypermail 2.4.0 : Tuesday, 5 July 2022 07:26:33 UTC