W3C home > Mailing lists > Public > public-webauthn@w3.org > March 2019

Re: [webauthn] Android key attestation missing certificate validation steps (#1167)

From: Bart via GitHub <sysbot+gh@w3.org>
Date: Wed, 06 Mar 2019 15:39:23 +0000
To: public-webauthn@w3.org
Message-ID: <issue_comment.created-470155337-1551886761-sysbot+gh@w3.org>
Hi @emlun you're absolutely right, I missed that 🤦‍♂️ thanks!

I'm thinking the wording might be a little more clear to use the same terms as the attestation statement format verification procedures. E.g. reword step 16 to something like:

> 16. Assess the attestation trustworthiness using the outputs of the verification procedure in step 14, as follows:
> 
> * If no attestation was provided, verify that None attestation is acceptable under Relying Party policy.
> * If self attestation was used, verify that self attestation is acceptable under Relying Party policy.
> * If ECDAA was used, verify that the identifier of the ECDAA-Issuer public key returned in the attestation trust path is included in the set of acceptable trust anchors obtained in step 15.
> * Otherwise, use the X.509 certificates returned in the attestation trust path to verify that the attestation public key correctly chains up to an acceptable root certificate.

WDYT?

-- 
GitHub Notification of comment by bdewater
Please view or discuss this issue at https://github.com/w3c/webauthn/issues/1167#issuecomment-470155337 using your GitHub account
Received on Wednesday, 6 March 2019 15:39:24 UTC

This archive was generated by hypermail 2.4.0 : Friday, 17 January 2020 18:59:02 UTC