Merge pull request #2000 from sbweeden/sweeden_1998

Clarify validation step for packed attestation certificate for RPs.
w3c · Nov 29, 2023 · 065b836 · 065b836
2 parents f8163ea + 73eb670
commit 065b836
Showing 1 changed file with 4 additions and 0 deletions.
diff --git a/index.bs b/index.bs
@@ -5890,6 +5890,10 @@ The attestation certificate MUST have the following fields/extensions:
     `1.3.6.1.4.1.45724.1.1.4` (`id-fido-gen-ce-aaguid`) MUST be present, containing the AAGUID as a 16-byte OCTET STRING.
     The extension MUST NOT be marked as critical.
 
+    As [=[RPS]=] may not know if the attestation root
+    certificate is used for multiple authenticator models, it is suggested that [=[RPS]=] check if the extension
+    is present, and if it is, then validate that it contains that same AAGUID as presented in the [=attestation object=].
+
     Note that an X.509 Extension encodes the DER-encoding of the value in an OCTET STRING.
     Thus, the AAGUID MUST be wrapped in <i>two</i> OCTET STRINGS to be valid. Here is a sample, encoded Extension structure: