W3C home > Mailing lists > Public > public-webauthn@w3.org > January 2019

Re: [webauthn] Refer android-safetynet verification to SafetyNet documentation? (#1135)

From: Emil Lundberg via GitHub <sysbot+gh@w3.org>
Date: Thu, 17 Jan 2019 11:54:07 +0000
To: public-webauthn@w3.org
Message-ID: <issue_comment.created-455145947-1547726046-sysbot+gh@w3.org>
I personally have no strong opinion either way on this. Reducing duplication is always nice, but I also find it difficult to find precise instructions in the SafetyNet documentation on how to verify the attestation statement offline - it seems like the target audience for the documentation is mainly Android app developers rather than cryptographic protocol implementers, as the primary option for verification seems to be to contact an online verification service. It's possible to piece together most of our [android-safetynet](https://w3c.github.io/webauthn/#android-safetynet-attestation) verification procedure from the [source code samples](https://github.com/googlesamples/android-play-safetynet/tree/master/server), except they don't do our verification of the `ctsProfileMatch` attribute.

GitHub Notification of comment by emlun
Please view or discuss this issue at https://github.com/w3c/webauthn/issues/1135#issuecomment-455145947 using your GitHub account
Received on Thursday, 17 January 2019 11:54:09 UTC

This archive was generated by hypermail 2.4.0 : Tuesday, 5 July 2022 07:26:36 UTC