Re: [webauthn] Mark Android SafetyNet attestation as deprecated. (#2155) from Matthew Miller via GitHub on 2024-10-02 (public-webauthn@w3.org from October 2024)

From: Matthew Miller via GitHub <sysbot+gh@w3.org>
Date: Wed, 02 Oct 2024 19:57:50 +0000
To: public-webauthn@w3.org
Message-ID: <issue_comment.created-2389566620-1727899068-sysbot+gh@w3.org>

Here's a Wayback Machine link to a version of SafetyNet statement verification logic from July 28, 2023:

https://web.archive.org/web/20230728190311/https://developer.android.com/training/safetynet/attestation

It's a little too native-app-centric for our context here; for example there's no indication in there that in WebAuthn `nonce` bytes will be a concatenation of `authData` bytes and the SHA-256 hash of `clientDataJSON` bytes. However there's probably enough guidance on things like the use of JWS and the structure of PAYLOAD to help get RPs most of the way there.

-- 
GitHub Notification of comment by MasterKale
Please view or discuss this issue at https://github.com/w3c/webauthn/pull/2155#issuecomment-2389566620 using your GitHub account


-- 
Sent via github-notify-ml as configured in https://github.com/w3c/github-notify-ml-config

Received on Wednesday, 2 October 2024 19:57:51 UTC