Re: [webauthn] "android-key" and "android-safetynet" are really basic attestation type support? (#1819) from Ki-Eun Shin via GitHub on 2023-01-28 (public-webauthn@w3.org from January 2023)

From: Ki-Eun Shin via GitHub <sysbot+gh@w3.org>
Date: Sat, 28 Jan 2023 01:46:40 +0000
To: public-webauthn@w3.org
Message-ID: <issue_comment.created-1407249156-1674870398-sysbot+gh@w3.org>

I understand the logic behinds the Android Key Attestation. So, the attestation key (and certificate) shared across Android device and credential certificate for the user public key is signed by the attestation key, which makes sense that the trust model for this is basic".

As a results,

- The WebAuthn spec needs change Android Safetynet attestation trust model (attestation type) from **Basic** to **AnonCa**.
- The FIDO spec (registry) needs change Android Key attestation trust model from **AnonCa** to **Basic** which is referred by FIDO MDS.

-- 
GitHub Notification of comment by Kieun
Please view or discuss this issue at https://github.com/w3c/webauthn/issues/1819#issuecomment-1407249156 using your GitHub account


-- 
Sent via github-notify-ml as configured in https://github.com/w3c/github-notify-ml-config

Received on Saturday, 28 January 2023 01:46:41 UTC