- From: Bart via GitHub <sysbot+gh@w3.org>
- Date: Wed, 06 Mar 2019 06:02:09 +0000
- To: public-webauthn@w3.org
bdewater has just created a new issue for https://github.com/w3c/webauthn: == Android key attestation missing certificate validation steps == This [blog post](https://medium.com/@herrjemand/webauthn-fido2-verifying-android-keystore-attestation-4a8835b33e9d) by @herrjemand mentions: > 6. Check that root certificate(last in the chain) is set to: > https://gist.github.com/herrjemand/a612608dfbb2bc136aba57c64ff4a04c#file-androidkey-attestation-root-pem > At the moment of writing, Google does not publish this certificate, so this was extracted from one of the attestations. > 7. Verify certificate path using the algorithm specified in RFC5280 section 6 and further down in the code snippet: > * The last certificate in x5c must match this certificate > * This needs to be checked to ensure that malicious party wont generate fake attestations It struck me as odd that these steps are not mentioned in the spec given these warnings. Please view or discuss this issue at https://github.com/w3c/webauthn/issues/1167 using your GitHub account
Received on Wednesday, 6 March 2019 06:02:11 UTC