- From: Arshad Noor <arshad.noor@strongkey.com>
- Date: Wed, 14 Oct 2020 18:08:14 -0700
- To: public-webauthn@w3.org
Not sure I understand the benefit of the 2 suggestions, Jeff: (1) The need to highlight that the Attestation Certificate (AC) is a self-signed one (as opposed to one with a certificate-chain). Anyone doing PKIX validation on the AC will realize this is a self-signed certificate, so calling it out is not going to add any benefit to the RP - or at least I don't see it; (2) Comparing the AC retrieved from the registration process to the AC downloaded from the MDS is superfluous. If the RP has determined the AAGUID from the Attestation Object, assuming they trust the MDS, they can simply use the AC from the MDS to verify the signature in the attestation. If they don't trust the MDS, then they need to trust their out-of-band validation processes for that brand of Authenticator. If they're not doing that either, then I'm not sure what benefit the attestation gives them. Arshad Noor StrongKey On 10/14/20 4:57 PM, =JeffH via GitHub wrote: > equalsJeffH has just created a new issue for > https://github.com/w3c/webauthn: > > == define "self-signed basic attestation type" == > some authenticators in the wild return, on registration, an attestation > certificate that is signed by the private key associated with the public > key in the cert, thus there is no certificate chain. The attestation > certificate is _essentially_ the "(CA) root certificate". Verifying > such a certificate can be accomplished by, e.g.: ``` > $ cd /some-directory # where the cert files reside... > $ openssl verify -CAfile ./self-signed-cert.pem -CApath /some-directory > ./self-signed-cert.pem > ./self-signed-cert.pem: OK > ``` > ...though the value of verifying the signature is debatable. If the RP > has obtained the putative "root certificate" via out-of-band means > (e.g., via the FIDO Alliance Metadata Service), they can also "verfiy" > the returned attestation cert against the putative "root certificate" by > a simple byte-by-byte comparison (once the certificates are both > represented in the same format, e.g., DER or PEM). > > This key pair is used only for attestation (unlike the present > "self-attestation" attstn type, where the user's per-RP key pair is used > to construct a one-off per-RP attestation cert) and thus the same > attestation cert is returned to all RPs. Thus we ought to define a new > attestation type for this. > > Since this is fairly similar to Basic Attestation, I suggest: > "Self-signed Basic Attestation" > > Please view or discuss this issue at > https://github.com/w3c/webauthn/issues/1498 using your GitHub account > >
Received on Thursday, 15 October 2020 01:08:30 UTC