W3C home > Mailing lists > Public > public-webauthn@w3.org > January 2019

Re: [webauthn] Is android-safetynet attestation trust path limited to one cert? (#1132)

From: Emil Lundberg via GitHub <sysbot+gh@w3.org>
Date: Thu, 17 Jan 2019 11:32:32 +0000
To: public-webauthn@w3.org
Message-ID: <issue_comment.created-455140426-1547724751-sysbot+gh@w3.org>
>So yes, the trust path should include the whole chain.

Thanks! We'll get that fixed then.

>clarify that the hostname to check is in the leaf cert

I'd say this is already precise enough since "Let _attestationCert_ be the attestation certificate." implicitly means that _attestationCert_ is the leaf cert. I'll make sure this is preserved in the fix.

>(importantly) the verifier should actually verify the certificate chain

This is taken care of generically in [RP ops step 16](https://w3c.github.io/webauthn/#ref-for-verification-procedure%E2%91%A3), so I'd say we're good on that if we just fix the trust path to be returned.

> I wonder if it's best to simply refer to [SafetyNet documentation](https://developer.android.com/training/safetynet/attestation#verify-compat-check) on this, rather than chasing any potential changes there.

I'm inclined to agree; I'll open a separate issue about that.

-- 
GitHub Notification of comment by emlun
Please view or discuss this issue at https://github.com/w3c/webauthn/issues/1132#issuecomment-455140426 using your GitHub account
Received on Thursday, 17 January 2019 11:32:33 UTC

This archive was generated by hypermail 2.4.0 : Friday, 17 January 2020 18:59:00 UTC