W3C home > Mailing lists > Public > public-webauthn@w3.org > March 2019

Re: [webauthn] Android key attestation missing certificate validation steps (#1167)

From: Bart via GitHub <sysbot+gh@w3.org>
Date: Wed, 06 Mar 2019 15:39:23 +0000
To: public-webauthn@w3.org
Message-ID: <issue_comment.created-470155337-1551886761-sysbot+gh@w3.org>
Hi @emlun you're absolutely right, I missed that 🤦‍♂️ thanks!

I'm thinking the wording might be a little more clear to use the same terms as the attestation statement format verification procedures. E.g. reword step 16 to something like:

> 16. Assess the attestation trustworthiness using the outputs of the verification procedure in step 14, as follows:
> * If no attestation was provided, verify that None attestation is acceptable under Relying Party policy.
> * If self attestation was used, verify that self attestation is acceptable under Relying Party policy.
> * If ECDAA was used, verify that the identifier of the ECDAA-Issuer public key returned in the attestation trust path is included in the set of acceptable trust anchors obtained in step 15.
> * Otherwise, use the X.509 certificates returned in the attestation trust path to verify that the attestation public key correctly chains up to an acceptable root certificate.


GitHub Notification of comment by bdewater
Please view or discuss this issue at https://github.com/w3c/webauthn/issues/1167#issuecomment-470155337 using your GitHub account
Received on Wednesday, 6 March 2019 15:39:24 UTC

This archive was generated by hypermail 2.4.0 : Friday, 17 January 2020 18:59:02 UTC