[webauthn] define "self-signed basic attestation type" (#1498)

equalsJeffH has just created a new issue for https://github.com/w3c/webauthn:

== define "self-signed basic attestation type" ==
some authenticators in the wild return, on registration, an attestation certificate that is signed by the private key associated with the public key in the cert, thus there is no certificate chain. The attestation certificate is _essentially_ the "(CA) root certificate".  Verifying such a certificate can be accomplished by, e.g.: 
```
$ cd /some-directory    # where the cert files reside...
$ openssl verify -CAfile ./self-signed-cert.pem -CApath /some-directory ./self-signed-cert.pem
./self-signed-cert.pem: OK
```
...though the value of verifying the signature is debatable.  If the RP has obtained the putative "root certificate" via out-of-band means (e.g., via the FIDO Alliance Metadata Service), they can also "verfiy" the returned attestation cert against the putative "root certificate" by a simple byte-by-byte comparison (once the certificates are both represented in the same format, e.g., DER or PEM).

This key pair is used only for attestation (unlike the present "self-attestation" attstn type, where the user's per-RP key pair is used to construct a one-off per-RP attestation cert) and thus the same attestation cert is returned to all RPs. Thus we ought to define a new attestation type for this.

Since this is fairly similar to Basic Attestation, I suggest:  "Self-signed Basic Attestation"

Please view or discuss this issue at https://github.com/w3c/webauthn/issues/1498 using your GitHub account


-- 
Sent via github-notify-ml as configured in https://github.com/w3c/github-notify-ml-config

Received on Wednesday, 14 October 2020 23:57:55 UTC