Re: [webauthn] Ambiguous instructions in the Android Key Attestation Statement Format verification procedure (#1980) from Ki-Eun Shin via GitHub on 2023-10-03 (public-webauthn@w3.org from October 2023)

From: Ki-Eun Shin via GitHub <sysbot+gh@w3.org>
Date: Tue, 03 Oct 2023 02:26:28 +0000
To: public-webauthn@w3.org
Message-ID: <issue_comment.created-1744064497-1696299986-sysbot+gh@w3.org>

After reading Android key attestation related docs, I'm thinking that the key description may have both `teeEnforced` and `softwareEnforced` at the same time.

See the following links: 
- https://source.android.com/docs/security/features/keystore/implementer-ref#get_key_characteristics

So, the current implementation you've provided is valid per the spec. Our implementation has similar validation logics.

-- 
GitHub Notification of comment by Kieun
Please view or discuss this issue at https://github.com/w3c/webauthn/issues/1980#issuecomment-1744064497 using your GitHub account


-- 
Sent via github-notify-ml as configured in https://github.com/w3c/github-notify-ml-config

Received on Tuesday, 3 October 2023 02:26:29 UTC