W3C home > Mailing lists > Public > public-webauthn@w3.org > June 2018

Re: [webauthn] Attestation validation issues

From: Emil Lundberg via GitHub <sysbot+gh@w3.org>
Date: Fri, 15 Jun 2018 17:15:03 +0000
To: public-webauthn@w3.org
Message-ID: <issue_comment.created-397686538-1529082902-sysbot+gh@w3.org>
Yeah, it seems like where to get the root certs is intentionally left out except for the mention of the FIDO MDS.

>In the SafetyNet Attestation API docs there is a section entitled Verify the compatibility check response that says to check the signature of the JWS... maybe a pointer to that is what is needed?

Thanks, that seems like a good solution to me!

>It's still not clear to me how to correlate the `ver` with the `response` to make sure the response is right. It's not like there's a `version` member inside the response payload

I'm guessing the purpose of the `ver` response field is for selecting a verification algorithm, rather than something to compare the `response` against.

-- 
GitHub Notification of comment by emlun
Please view or discuss this issue at https://github.com/w3c/webauthn/issues/950#issuecomment-397686538 using your GitHub account
Received on Friday, 15 June 2018 17:15:07 UTC

This archive was generated by hypermail 2.4.0 : Tuesday, 5 July 2022 07:26:33 UTC