Re: [webauthn] Is android-safetynet attestation trust path limited to one cert? (#1132)

>So yes, the trust path should include the whole chain.

Thanks! We'll get that fixed then.

>clarify that the hostname to check is in the leaf cert

I'd say this is already precise enough since "Let _attestationCert_ be the attestation certificate." implicitly means that _attestationCert_ is the leaf cert. I'll make sure this is preserved in the fix.

>(importantly) the verifier should actually verify the certificate chain

This is taken care of generically in [RP ops step 16](, so I'd say we're good on that if we just fix the trust path to be returned.

> I wonder if it's best to simply refer to [SafetyNet documentation]( on this, rather than chasing any potential changes there.

I'm inclined to agree; I'll open a separate issue about that.

GitHub Notification of comment by emlun
Please view or discuss this issue at using your GitHub account

Received on Thursday, 17 January 2019 11:32:33 UTC