- From: Shane Weeden via GitHub <sysbot+gh@w3.org>
- Date: Thu, 16 Nov 2023 03:02:39 +0000
- To: public-webauthn@w3.org
sbweeden has just created a new issue for https://github.com/w3c/webauthn: == How is an RP to know if a packed attestation root certificate is used for more multiple authenticator models? == Consider the current text at: https://www.w3.org/TR/webauthn-3/#sctn-packed-attestation-cert-requirements This suggests that the packed attestation certificate cert OID extension 1.3.6.1.4.1.45724.1.1.4 is compulsory, but only if the root CA is used for multiple authenticator models. How is an RP supposed to know if it is or it isn't used for multiple authenticator models such that it can *conditionally* enforce this requirement? Is there anything in MDS to indicate this condition? Is an RP supposed to lookup the MDS (by aaguid), then find the matching root CA entry from attestationRootCertificates, then scan all other known MDS to see if any others contain the same root CA (seems like extraordinary overkill, and subject to errors). If this cert OID extension is really always required for packed attestation certificates, then we should say that, otherwise it should be marked optional, and there seems little value in requiring validation of its contents against the AAGUID in authenticatorData. Please view or discuss this issue at https://github.com/w3c/webauthn/issues/1998 using your GitHub account -- Sent via github-notify-ml as configured in https://github.com/w3c/github-notify-ml-config
Received on Thursday, 16 November 2023 03:02:41 UTC