Re: [webauthn] define "self-signed basic attestation type" (#1498)

I think a more explicit description of why it is believed this needs to be differentiated from "Basic" attestation might help with a more open discussion. My limited understanding is that this somehow ties back in to RFC5280, but I am not sure where (or if) WebAuthn defines that "Basic" attestation x5c verification must always follow RFC5280. Is this explicit anywhere?

Step 21 (3rd sub-bullet) of section 7.1 of the current editors draft uses the text: 
"Otherwise, use the X.509 certificates returned as the attestation trust path from the verification procedure to verify that the attestation public key correctly chains up to an acceptable root certificate". 

RFC5280 might surely be one (even the preferred) way to do that, but couldn't we simply indicate that for self-signed attestation certs there are other ways this might be done without having to introduce a new type of attestation definition? 

-- 
GitHub Notification of comment by sbweeden
Please view or discuss this issue at https://github.com/w3c/webauthn/issues/1498#issuecomment-709632228 using your GitHub account


-- 
Sent via github-notify-ml as configured in https://github.com/w3c/github-notify-ml-config

Received on Thursday, 15 October 2020 22:56:09 UTC