notes added who controls level2Data

w3c · Sep 14, 2016 · 720d553 · 720d553
1 parent 57b4e9f
commit 720d553
Showing 1 changed file with 7 additions and 3 deletions.
diff --git a/index.bs b/index.bs
@@ -1359,12 +1359,13 @@ elements).
     - Verify that {{PackedAttestation/alg}} is "ED256" or "ED512".
     - Perform DAA-Verify on {{PackedAttestation/signature}} (see [[!FIDOEcdaaAlgorithm]]).
     - If {{PackedAttestation/x5c}} contains an extension with OID `1 3 6 1 4 1 45724 1 1 4` (id-fido-gen-ce-aaguid) verify that
-        the value of this extension matches the AAGUID in the {{WebAuthnAttestation/level2Data}}.
+        the value of this extension matches the AAGUID in the {{WebAuthnAttestation/level1Data}}.
 
     If neither {{PackedAttestation/x5c}} nor {{PackedAttestation/daaKey}} is present, self attestation is in use.
     - Verify the signature using the public key of the credential.
-    - Validate that {{PackedAttestation/alg}} matches the algorithm in {{WebAuthnAttestation/level2Data}}.
+    - Validate that {{PackedAttestation/alg}} matches the algorithm in {{WebAuthnAttestation/level1Data}}.
 
+    Note: It depends on the auhenticator metadata whether level2Data is controlled by the Client or by the authenticator.
 
 ### Packed attestation level1Data certificate requirements ### {#packed-attestation-cert-requirements}
 
@@ -1469,6 +1470,8 @@ This attestation format is generally used by authenticators that use a Trusted P
     - If {{TpmAttestation/x5c}} contains an extension with OID `1 3 6 1 4 1 45724 1 1 4` (id-fido-gen-ce-aaguid) verify that the
         value of this extension matches the AAGUID in the {{WebAuthnAttestation/level2Data}}.
 
+    Note: It depends on the attestation certificate whether level2Data is controlled by the Client or by the authenticator.
+
 
 ### TPM attestation level1Data certificate requirements ### {#tpm-cert-requirements}
 
@@ -1526,7 +1529,7 @@ When the <a>Authenticator</a> in question is a platform-provided Authenticator o
 
     - Check that `level1Data.AuthorizationList.origin == KM_TAG_GENERATED`, that `level1Data.AuthorizationList.purpose == KM_PURPOSE_SIGN`, that `level1Data.AuthorizationList.keySize` and `level1Data.AuthorizationList.digest` are acceptable, that `level1Data.authType` only contains acceptable user verification methods, that `level1Data.AuthorizationList.authTimeout == 0` or is <em>not</em> present, and that `level1Data.AuthorizationList.noAuthRequired` is <em>not</em> present.
 
-    Note: the level2Data is controlled by the Client and <i>not</i> by the authenticator.
+    Note: level2Data is controlled by the Client and <i>not</i> by the authenticator.
 
 
 ## Android SafetyNet Attestation Format ## {#android-safetynet-attestation}
@@ -1583,6 +1586,7 @@ API</a>.
 
     - Check that the `ctsProfileMatch` attribute in the payload of the `safetynetResponse` is true.
 
+    Note: level1Data and level2Data are controlled by the Client and <i>not</i> by the authenticator.
 
 # WebAuthn Extensions # {#extensions}