[webauthn] "android-key" and "android-safetynet" are really basic attestation type support? (#1819)

Kieun has just created a new issue for https://github.com/w3c/webauthn:

== "android-key" and "android-safetynet" are really basic attestation type support? ==
## Proposed Change

While I'm integrating FIDO MDS3 with our WebAuthn Server, I figured out that the the [FIDO spec ](https://fidoalliance.org/specs/common-specs/fido-registry-v2.2-ps-20220523.html)and WebAuthn Spec does not align properly regarding attestation types.

The FIDO spec describes that

> ATTESTATION_ANONCA 0x3E0C "anonca"
In this case, the authenticator uses an Anonymization CA which dynamically generates per-credential attestation certificates such that the attestation statements presented to Relying Parties do not provide uniquely identifiable information, e.g., that might be used for tracking purposes. The applicable [[WebAuthn](https://fidoalliance.org/specs/common-specs/fido-registry-v2.2-ps-20220523.html#bib-WebAuthn)] attestation formats "fmt" are Google SafetyNet Attestation "android-safetynet", Android Keystore Attestation "android-key", Apple Anonymous Attestation "apple", and Apple Application Attestation "apple-appattest".

As indicated, "android-safetynet", "android-key" and "apple" attestation format support Anonymization CA.

In the WebAuthn Spec,
The "android-key" and "android-safteynet" support "basic" attestation and "apple" format supports "anonymization ca".
Also, the spec defines that,
Basic attestation is

> In the case of basic attestation [[UAFProtocol]](https://w3c.github.io/webauthn/#biblio-uafprotocol), the authenticator’s [attestation key pair](https://w3c.github.io/webauthn/#attestation-key-pair) is specific to an authenticator "model", i.e., a "batch" of authenticators. Thus, authenticators of the same, or similar, model often share the same [attestation key pair](https://w3c.github.io/webauthn/#attestation-key-pair). See [§ 14.4.1 Attestation Privacy](https://w3c.github.io/webauthn/#sctn-attestation-privacy) for further information.

[Basic attestation](https://w3c.github.io/webauthn/#basic-attestation) is also referred to as batch attestation.

Anonymization CA is

> In this case, the [authenticator](https://w3c.github.io/webauthn/#authenticator) uses an [Anonymization CA](https://w3c.github.io/webauthn/#anonymization-ca) which dynamically generates per-[credential](https://w3c.github.io/webappsec-credential-management/#concept-credential) [attestation certificates](https://w3c.github.io/webauthn/#attestation-certificate) such that the [attestation statements](https://w3c.github.io/webauthn/#attestation-statement) presented to [Relying Parties](https://w3c.github.io/webauthn/#relying-party) do not provide uniquely identifiable information, e.g., that might be used for tracking purposes.

**As per my understanding,
Android key attestation generates the attestation certificate per the attestation public key pair (which is equal to credential public key pair). So it should be Anonymization CA rather than Basic.
In case of Android safetynet, it is not clear that the attestation certificate which is used to sign JWS is generated per the cerdential or just batched certificate. Depending on it, it would be Basic or Anonymization CA.**


Please view or discuss this issue at https://github.com/w3c/webauthn/issues/1819 using your GitHub account


-- 
Sent via github-notify-ml as configured in https://github.com/w3c/github-notify-ml-config

Received on Wednesday, 26 October 2022 02:37:15 UTC