- From: Emil Lundberg <emil@yubico.com>
- Date: Fri, 5 May 2023 15:06:33 +0200
- To: Andrew Coutts <andrew.coutts@nydig.com>
- Cc: "public-webauthn@w3.org" <public-webauthn@w3.org>
- Message-ID: <CANMnvkw6=Ztb_t7M-tK9WDYNF5267VpCxNg0okS=9vOh30RURA@mail.gmail.com>
Strictly speaking it's not necessary to add it to the WebAuthn spec if it already has its own document specifying the format. The official registry of attestation statement formats is not actually the WebAuthn spec, it's the IANA registry <https://www.iana.org/assignments/webauthn/webauthn.xhtml#webauthn-attestation-statement-format-ids> which the WebAuthn spec itself also contributes its attestation format specs to. Apple should register apple-appattest in the IANA registry if they want to help third party libraries discover and add support for it. I guess perhaps moving the apple-appattest spec into the WebAuthn spec could further help drive adoption, but it fills quite a different role than the other WebAuthn attestation statement formats, so it's probably not as relevant. apple-appattest is about authenticating an app distribution, so it's incredibly unlikely that a WebAuthn RP would encounter a user showing up with an unsolicited apple-appattest statement. Or to put it another way: the use of the other attestation formats is chosen by the user (via their choice of authenticator), while the use of apple-appattest is chosen by the RP. For the other formats the RP might need to pre-emptively implement support since it might not know what formats users will use. For apple-appattest the RP already knows it needs to be able to verify it before even requesting it. If you're using a third-party WebAuthn RP library or service to verify attestation statements, you should ask the developer of that library or service to implement support for apple-appattest. Emil Lundberg Senior Software Engineer | Yubico <http://www.yubico.com/> On Fri, Apr 28, 2023 at 10:46 PM Andrew Coutts <andrew.coutts@nydig.com> wrote: > Hi – I’m using apple’s AppAttest framework to get an attestation about a > device to verify it is legitimate and untampered.. I want to communicate > this to my webauthn RP. The attestation from AppAttest comes back with > *fmt* set to *apple-appattest*. > > Is there any plan to add support for this format to the spec? > > > > More: > https://developer.apple.com/documentation/devicecheck/validating_apps_that_connect_to_your_server#3576643 >
Received on Friday, 5 May 2023 13:06:56 UTC