Re: [webauthn] Confused About What To Do With Attestation Trust Paths (#1662) from Arshad Noor via GitHub on 2021-08-11 (public-webauthn@w3.org from August 2021)

From: Arshad Noor via GitHub <sysbot+gh@w3.org>
Date: Wed, 11 Aug 2021 11:42:47 +0000
To: public-webauthn@w3.org
Message-ID: <issue_comment.created-896755829-1628682166-sysbot+gh@w3.org>

@DanielSanchezDiaz The IETF defined a mechanism called [PKIX Validation](https://docs.oracle.com/javase/8/docs/technotes/guides/security/certpath/CertPathProgGuide.html) that defines a very precise process for how to find the Trust Anchor of a given certificate (for example, the Attestation certificate used by the Authenticator) to determine whether you choose to trust the certificate.

This trust depends, quite significantly, on whether the creators of the Attestation certificate chose the right certificate extensions, populated them with the right values, and established the "infrastructure" to support certificate verification on the internet. Unfortunately, without looking at the actual Attestation certificate and going through the PKIX Validation process, it is impossible to tell whether you can validate such a certificate or its chain completely - each certificate in the chain _must_ have all the right values to chain correctly.

[Mozilla Developer Network](https://developer.mozilla.org/en-US/docs/Mozilla/Projects/NSS) used to have one of the most easily understood articles on this topic; the links are broken right now (I've filed an issue), but you can get a decent introduction to the topic if you look at the section on "How CA Certificates Are Used to Establish Trust" in this archived copy at http://web.archive.org/web/20140704130514/https://developer.mozilla.org/en-US/docs/Introduction_to_Public-Key_Cryptography.

The link at [Oracle](https://docs.oracle.com/javase/8/docs/technotes/guides/security/certpath/CertPathProgGuide.html) provides useful tools on how to perform the validation using Java. If you're looking for a simplified implementation of those classes, you'll find it in the source code of [PKI2FIDO](https://sourceforge.net/projects/pki2fido/) at Sourceforge.

-- 
GitHub Notification of comment by arshadnoor
Please view or discuss this issue at https://github.com/w3c/webauthn/issues/1662#issuecomment-896755829 using your GitHub account


-- 
Sent via github-notify-ml as configured in https://github.com/w3c/github-notify-ml-config

Received on Wednesday, 11 August 2021 11:42:52 UTC