- From: Eric Stern via GitHub <sysbot+gh@w3.org>
- Date: Tue, 01 Oct 2024 23:26:09 +0000
- To: public-webauthn@w3.org
I found the current spec for SafetyNet attestation verification pretty woefully deficient as it is, even before the link broke and moved to the deprecation timeline (in fact, I'm pretty sure I referenced yours @MasterKale since Google's docs were leading me in circles). IMO retaining the _procedure_ in the spec, even after deprecation, is fine - if not ideal. `apple` is also completely unused now AFAIK since they've stripped attestation data for passkeys in iCloud Keychain and only use the `none` format[^1]. Having the actual certs in a registry of some kind seems reasonable (I'd also consider the FIDO metadata service as a candidate). So long as RPs maintain the timestamp of the credential registration, they should have no trouble checking that the attestation was valid at the time. [^1]: If anyone knows this not to be the case, I'd love to learn what situation the `apple` format is still used by! -- GitHub Notification of comment by Firehed Please view or discuss this issue at https://github.com/w3c/webauthn/pull/2155#issuecomment-2387256235 using your GitHub account -- Sent via github-notify-ml as configured in https://github.com/w3c/github-notify-ml-config
Received on Tuesday, 1 October 2024 23:26:10 UTC