[webauthn] RP ops registration step 16 is missing a case for None attestation (#1136) from Emil Lundberg via GitHub on 2019-01-17 (public-webauthn@w3.org from January 2019)

From: Emil Lundberg via GitHub <sysbot+gh@w3.org>
Date: Thu, 17 Jan 2019 14:30:09 +0000
To: public-webauthn@w3.org
Message-ID: <issues.opened-400302523-1547735408-sysbot+gh@w3.org>

emlun has just created a new issue for https://github.com/w3c/webauthn:

== RP ops registration step 16 is missing a case for None attestation ==
Step 16 of [§7.1. Registering a New Credential](https://w3c.github.io/webauthn/#registering-a-new-credential) currently reads:

>Assess the attestation trustworthiness using the outputs of the verification procedure in step 14, as follows:
>- If self attestation was used, check if self attestation is acceptable under Relying Party policy.
>- If ECDAA was used, verify that the identifier of the ECDAA-Issuer public key used is included in the set of acceptable trust anchors obtained in step 15.
>- Otherwise, use the X.509 certificates returned by the verification procedure to verify that the attestation public key correctly chains up to an acceptable root certificate.

This is missing a case for None attestation, which would be almost identical to (or, alternatively, merged with) that for self attestation:

>- If none attestation was used, check if no attestation is acceptable under Relying Party policy.

Please view or discuss this issue at https://github.com/w3c/webauthn/issues/1136 using your GitHub account

Received on Thursday, 17 January 2019 14:30:15 UTC