- From: Emil Lundberg via GitHub <sysbot+gh@w3.org>
- Date: Thu, 17 Jan 2019 11:32:32 +0000
- To: public-webauthn@w3.org
>So yes, the trust path should include the whole chain. Thanks! We'll get that fixed then. >clarify that the hostname to check is in the leaf cert I'd say this is already precise enough since "Let _attestationCert_ be the attestation certificate." implicitly means that _attestationCert_ is the leaf cert. I'll make sure this is preserved in the fix. >(importantly) the verifier should actually verify the certificate chain This is taken care of generically in [RP ops step 16](https://w3c.github.io/webauthn/#ref-for-verification-procedure%E2%91%A3), so I'd say we're good on that if we just fix the trust path to be returned. > I wonder if it's best to simply refer to [SafetyNet documentation](https://developer.android.com/training/safetynet/attestation#verify-compat-check) on this, rather than chasing any potential changes there. I'm inclined to agree; I'll open a separate issue about that. -- GitHub Notification of comment by emlun Please view or discuss this issue at https://github.com/w3c/webauthn/issues/1132#issuecomment-455140426 using your GitHub account
Received on Thursday, 17 January 2019 11:32:33 UTC