Re: [webauthn] "android-key" and "android-safetynet" are really basic attestation type support? (#1819) from Arnar Birgisson via GitHub on 2023-01-26 (public-webauthn@w3.org from January 2023)

From: Arnar Birgisson via GitHub <sysbot+gh@w3.org>
Date: Thu, 26 Jan 2023 23:46:24 +0000
To: public-webauthn@w3.org
Message-ID: <issue_comment.created-1405822096-1674776782-sysbot+gh@w3.org>

I don't fully know the intent of the "applicable formats" listing in the FIDO common specs that you linked, but the [CTAP spec](https://fidoalliance.org/specs/fido-v2.1-ps-20210615/fido-client-to-authenticator-protocol-v2.1-ps-errata-20220621.html#authenticatorMakeCredential) doesn't refer to those attestation types and instead points to WebAuthn for all details on attestation. So I think we can count WebAuthn as authoritative for FIDO2.

Android Keystore Attestation is correctly classified as "basic". Its signatures are based on batch keys shipped on devices.

Android SafetyNet however is, at least as far as I can tell, only labelled as "basic" because it (I think) predates the attestation type concept. You are correct that it should really be marked as AnonCA. I don't currently see any problem with changing that in the spec, but I could be missing some side effects with RP specific processing.

-- 
GitHub Notification of comment by arnar
Please view or discuss this issue at https://github.com/w3c/webauthn/issues/1819#issuecomment-1405822096 using your GitHub account


-- 
Sent via github-notify-ml as configured in https://github.com/w3c/github-notify-ml-config

Received on Thursday, 26 January 2023 23:46:26 UTC