- From: Emil Lundberg via GitHub <sysbot+gh@w3.org>
- Date: Tue, 01 Oct 2024 10:21:34 +0000
- To: public-webauthn@w3.org
@timcappalli credential record/[attestationClientDataJSON](https://www.w3.org/TR/webauthn-3/#abstract-opdef-credential-record-attestationclientdatajson) says: >Storing this in combination with the above [attestationObject](https://www.w3.org/TR/webauthn-3/#abstract-opdef-credential-record-attestationobject) [item](https://infra.spec.whatwg.org/#struct-item) enables the [Relying Party](https://www.w3.org/TR/webauthn-3/#relying-party) to re-verify the [attestation signature](https://www.w3.org/TR/webauthn-3/#attestation-signature) at a later time. --- > SafetyNet involves a server-side call to validate, I think? The [verification procedure in WebAuthn](https://www.w3.org/TR/webauthn-3/#sctn-android-safetynet-attestation) doesn't require any in-procedure server call, the attestation statement is self-contained. It might no longer be possible to obtain the root certificate of the attestation trust chain, though. Does SafetyNet have a single root certificate, or at least a small number of them? If so, then maybe we could inline it (them) in the WebAuthn spec as a way to keep attestation signatures verifiable. Also, our links to "the steps indicated by the [SafetyNet online documentation](https://developer.android.com/training/safetynet/attestation.html#compat-check-response)" no longer lead to the verification steps, but instead to a page describing the deprecation timeline. Is there some way we can still access the verification steps so that we could inline them into WebAuthn (I'm not sure we should, just wondering if we can)? -- GitHub Notification of comment by emlun Please view or discuss this issue at https://github.com/w3c/webauthn/pull/2155#issuecomment-2385400973 using your GitHub account -- Sent via github-notify-ml as configured in https://github.com/w3c/github-notify-ml-config
Received on Tuesday, 1 October 2024 10:21:35 UTC