@apowers313 2. SafetyNet uses google root certificates https://pki.goog/. Needs to be clarified in specs. Needs metadata. 3. That's actually clear in specs: > Concatenate authenticatorData and clientDataHash, perform SHA-256 hash of the concatenated string, and let the result of the hash form attToBeSigned. > Request a SafetyNet attestation, providing attToBeSigned as the nonce value. Set response to the result, and ver to the version of Google Play Services running in the authenticator. > Verify that the nonce in the response is identical to the SHA-256 hash of the concatenation of authenticatorData and clientDataHash. -- GitHub Notification of comment by herrjemand Please view or discuss this issue at https://github.com/w3c/webauthn/issues/968#issuecomment-399710981 using your GitHub accountReceived on Saturday, 23 June 2018 21:12:48 UTC
This archive was generated by hypermail 2.4.0 : Tuesday, 5 July 2022 07:26:33 UTC