Re: [webauthn] SafetyNet Attestation Clarifications from Ackermann Yuriy via GitHub on 2018-06-23 (public-webauthn@w3.org from June 2018)

From: Ackermann Yuriy via GitHub <sysbot+gh@w3.org>
Date: Sat, 23 Jun 2018 21:12:40 +0000
To: public-webauthn@w3.org
Message-ID: <issue_comment.created-399710981-1529788358-sysbot+gh@w3.org>

@apowers313 

2.  SafetyNet uses google root certificates https://pki.goog/. Needs to be clarified in specs. Needs metadata.

3. That's actually clear in specs: 

> Concatenate authenticatorData and clientDataHash, perform SHA-256 hash of the concatenated string, and let the result of the hash form attToBeSigned.
> Request a SafetyNet attestation, providing attToBeSigned as the nonce value. Set response to the result, and ver to the version of Google Play Services running in the authenticator.

>  Verify that the nonce in the response is identical to the SHA-256 hash of the concatenation of authenticatorData and clientDataHash.



-- 
GitHub Notification of comment by herrjemand
Please view or discuss this issue at https://github.com/w3c/webauthn/issues/968#issuecomment-399710981 using your GitHub account

Received on Saturday, 23 June 2018 21:12:48 UTC