W3C home > Mailing lists > Public > public-webauthn@w3.org > June 2018

Re: [webauthn] Attestation validation issues

From: Adam Powers via GitHub <sysbot+gh@w3.org>
Date: Fri, 15 Jun 2018 17:56:08 +0000
To: public-webauthn@w3.org
Message-ID: <issue_comment.created-397697458-1529085367-sysbot+gh@w3.org>
@gmandyam The SafetyNet nonce contains the authenticatorData which contains the new publicKey; and the nonce is signed over with a cert that chains back to a root of trust. Seems like worthwhile attestation to me.

1. I like the idea of assigning *attCert* as `x5c[0]` and then consistently referring to *attCert* throughout the verifications.
2. So the TPM / Google root certs (should) be in MDS associated with every AAGUID that is dependent on them?
3.  `ver` might be for choosing a verification algorithm, but there's still no documentation on how to use it to select a verification algorithm. Maybe there's something I'm missing for how `ver` would relate to different versions of the SafetyNet API documentation?

GitHub Notification of comment by apowers313
Please view or discuss this issue at https://github.com/w3c/webauthn/issues/950#issuecomment-397697458 using your GitHub account
Received on Friday, 15 June 2018 17:56:10 UTC

This archive was generated by hypermail 2.4.0 : Tuesday, 5 July 2022 07:26:33 UTC