W3C home > Mailing lists > Public > public-webauthn@w3.org > March 2019

Re: [webauthn] Android key attestation missing certificate validation steps (#1167)

From: Emil Lundberg via GitHub <sysbot+gh@w3.org>
Date: Wed, 06 Mar 2019 12:28:40 +0000
To: public-webauthn@w3.org
Message-ID: <issue_comment.created-470089338-1551875319-sysbot+gh@w3.org>
Do I read those quoted steps to mean, in summary, "verify the certificate path"? If so, steps 15 and 16 of [ยง7.1. Registering a New Credential][reg] should cover that for all attestation statement formats at once, though in more abstract terms:

>15. If validation is successful, obtain a list of acceptable trust anchors (attestation root certificates or ECDAA-Issuer public keys) for that attestation type and attestation statement format fmt, from a trusted source or from policy. For example, the FIDO Metadata Service [FIDOMetadataService] provides one way to obtain such information, using the aaguid in the attestedCredentialData in authData.
>14. Assess the attestation trustworthiness using the outputs of the verification procedure in step 14, as follows:
>     - If no attestation was provided, verify that None attestation is acceptable under Relying Party policy.
>     - If self attestation was used, verify that self attestation is acceptable under Relying Party policy.
>     - If ECDAA was used, verify that the identifier of the ECDAA-Issuer public key used is included in the set of acceptable trust anchors obtained in step 15.
>     - Otherwise, use the X.509 certificates returned by the verification procedure to verify that the attestation public key correctly chains up to an acceptable root certificate.

Closely related: #950

[reg]: https://w3c.github.io/webauthn/#registering-a-new-credential

GitHub Notification of comment by emlun
Please view or discuss this issue at https://github.com/w3c/webauthn/issues/1167#issuecomment-470089338 using your GitHub account
Received on Wednesday, 6 March 2019 12:28:41 UTC

This archive was generated by hypermail 2.4.0 : Friday, 17 January 2020 18:59:02 UTC