Re: apple-appattest attestation format from Emil Lundberg on 2023-05-05 (public-webauthn@w3.org from May 2023)

From: Emil Lundberg <emil@yubico.com>
Date: Fri, 5 May 2023 15:06:33 +0200
To: Andrew Coutts <andrew.coutts@nydig.com>
Cc: "public-webauthn@w3.org" <public-webauthn@w3.org>
Message-ID: <CANMnvkw6=Ztb_t7M-tK9WDYNF5267VpCxNg0okS=9vOh30RURA@mail.gmail.com>

Strictly speaking it's not necessary to add it to the WebAuthn spec if it
already has its own document specifying the format. The official registry
of attestation statement formats is not actually the WebAuthn spec, it's
the IANA registry
<https://www.iana.org/assignments/webauthn/webauthn.xhtml#webauthn-attestation-statement-format-ids>
which
the WebAuthn spec itself also contributes its attestation format specs to.
Apple should register apple-appattest in the IANA registry if they want to
help third party libraries discover and add support for it.

I guess perhaps moving the apple-appattest spec into the WebAuthn spec
could further help drive adoption, but it fills quite a different role than
the other WebAuthn attestation statement formats, so it's probably not as
relevant. apple-appattest is about authenticating an app distribution, so
it's incredibly unlikely that a WebAuthn RP would encounter a user showing
up with an unsolicited apple-appattest statement. Or to put it another way:
the use of the other attestation formats is chosen by the user (via their
choice of authenticator), while the use of apple-appattest is chosen by the
RP. For the other formats the RP might need to pre-emptively implement
support since it might not know what formats users will use. For
apple-appattest the RP already knows it needs to be able to verify it
before even requesting it.

If you're using a third-party WebAuthn RP library or service to verify
attestation statements, you should ask the developer of that library or
service to implement support for apple-appattest.

Emil Lundberg

Senior Software Engineer | Yubico <http://www.yubico.com/>

On Fri, Apr 28, 2023 at 10:46 PM Andrew Coutts <andrew.coutts@nydig.com>
wrote:

> Hi – I’m using apple’s AppAttest framework to get an attestation about a
> device to verify it is legitimate and untampered.. I want to communicate
> this to my webauthn RP. The attestation from AppAttest comes back with
> *fmt* set to *apple-appattest*.
>
> Is there any plan to add support for this format to the spec?
>
>
>
> More:
> https://developer.apple.com/documentation/devicecheck/validating_apps_that_connect_to_your_server#3576643
>

Received on Friday, 5 May 2023 13:06:56 UTC