- From: Shawn Willden via GitHub <sysbot+gh@w3.org>
- Date: Thu, 20 Apr 2023 14:25:56 +0000
- To: public-webauthn@w3.org
Note that Android is migrating from batch attestation keys to remotely-provisioned certificates. The device will generate a set of key pairs locally, and then reach out to what is essentially a Google-operated anonymization server, which will provide certificates for each of the locally-generated public keys. Each app on the device that uses key attestation will get assigned one of the key pairs and a corresponding certificate. The certificates are short-lived (~30 days), and when a given app's certificate expires, it will get a new key pair and certificate. We're just beginning to roll this scheme out, starting with Android T. To date about 100M devices are using remotely-provisioned attestation certificates, but this number will grow rapidly. We recognize that in the case of a web browser, a single app is used with many web sites and the current design means that all web sites will get the same certificate (for ~30 days). I think this means that Android key attestation with RKP (Remote Key Provisioning -- yes, it's a misnomer because we remotely provision certs, not keys) is still "Basic" not "AnonCA", and in fact is a little worse for user privacy. We are contemplating a change that will allow apps like web browsers to get many keys & certs, one per site, which will move it to AnonCA, I think. -- GitHub Notification of comment by divegeek Please view or discuss this issue at https://github.com/w3c/webauthn/issues/1819#issuecomment-1516428075 using your GitHub account -- Sent via github-notify-ml as configured in https://github.com/w3c/github-notify-ml-config
Received on Thursday, 20 April 2023 14:25:58 UTC