Re: [webauthn] define "self-signed basic attestation type" "SSBasic" (#1499) from =JeffH via GitHub on 2020-10-21 (public-webauthn@w3.org from October 2020)

From: =JeffH via GitHub <sysbot+gh@w3.org>
Date: Wed, 21 Oct 2020 18:52:27 +0000
To: public-webauthn@w3.org
Message-ID: <issue_comment.created-713801566-1603306346-sysbot+gh@w3.org>

> I'm not sure how this is qualitatively different from any other Basic attestation.  ...  So why does this special case need its own category?

Yes, it may not merit its own attestation type.  Perhaps clarifying that an authenticator's "attestation root certificate" (as made available by the authnr's manufacturer) may be the same as the authnr-returned attestation cert, and can be "verified" by either a byte-by-byte comparison or verifying the signature, is sufficient.

As it turns out, the FIDO Metadata Statement spec [allows for such self-signed attestation certificates](https://fidoalliance.org/specs/fido-u2f-v1.2-ps-20170411/fido-metadata-statement-v1.2-ps-20170411.html#h_note_21:~:text=It%20might%20be%20the%20actual%20certificate%20presented%20by%20the%20authenticator).

-- 
GitHub Notification of comment by equalsJeffH
Please view or discuss this issue at https://github.com/w3c/webauthn/pull/1499#issuecomment-713801566 using your GitHub account


-- 
Sent via github-notify-ml as configured in https://github.com/w3c/github-notify-ml-config

Received on Wednesday, 21 October 2020 18:52:29 UTC