Re: [webauthn] Mark Android SafetyNet attestation as deprecated. (#2155) from Matthew Miller via GitHub on 2024-10-01 (public-webauthn@w3.org from October 2024)

From: Matthew Miller via GitHub <sysbot+gh@w3.org>
Date: Tue, 01 Oct 2024 18:20:31 +0000
To: public-webauthn@w3.org
Message-ID: <issue_comment.created-2386674052-1727806829-sysbot+gh@w3.org>

> Also, our links to "the steps indicated by the [SafetyNet online documentation](https://developer.android.com/training/safetynet/attestation.html#compat-check-response)" no longer lead to the verification steps, but instead to a page describing the deprecation timeline. Is there some way we can still access the verification steps so that we could inline them into WebAuthn (I'm not sure we should, just wondering if we can)?

As for this, we might have to fall back to consulting existing verification implementations in WebAuthn libraries. For what it's worth, here's mine:

https://github.com/MasterKale/SimpleWebAuthn/blob/dc70416e781c9ab11625ba9afbf092809391874e/packages/server/src/registration/verifications/verifyAttestationAndroidSafetyNet.ts#L15

I'd link to py_webauthn's implementation but it's pretty much the same. I'm sure other libraries can be used to independently verify the logic if we wanted to map it to spec speak.

-- 
GitHub Notification of comment by MasterKale
Please view or discuss this issue at https://github.com/w3c/webauthn/pull/2155#issuecomment-2386674052 using your GitHub account


-- 
Sent via github-notify-ml as configured in https://github.com/w3c/github-notify-ml-config

Received on Tuesday, 1 October 2024 18:20:32 UTC