Confused About What To Do With Attestation Trust Paths #1662
Comments
|
The procedure is not normative in this spec, but typically you would ensure that the certificate is signed by a trust root from FIDO metadata services, or from metadata obtained directly from the vendor(s) of the authenticators you are willing to accept. |
|
This is a highly valid question. I have proposed a simplified and decentralized approach which should be sufficient for most RPs that do not have the luxury defining what authenticators and associated devices their customers use: |
|
@DanielSanchezDiaz The IETF defined a mechanism called PKIX Validation that defines a very precise process for how to find the Trust Anchor of a given certificate (for example, the Attestation certificate used by the Authenticator) to determine whether you choose to trust the certificate. This trust depends, quite significantly, on whether the creators of the Attestation certificate chose the right certificate extensions, populated them with the right values, and established the "infrastructure" to support certificate verification on the internet. Unfortunately, without looking at the actual Attestation certificate and going through the PKIX Validation process, it is impossible to tell whether you can validate such a certificate or its chain completely - each certificate in the chain must have all the right values to chain correctly. Mozilla Developer Network used to have one of the most easily understood articles on this topic; the links are broken right now (I've filed an issue), but you can get a decent introduction to the topic if you look at the section on "How CA Certificates Are Used to Establish Trust" in this archived copy at http://web.archive.org/web/20140704130514/https://developer.mozilla.org/en-US/docs/Introduction_to_Public-Key_Cryptography. The link at Oracle provides useful tools on how to perform the validation using Java. If you're looking for a simplified implementation of those classes, you'll find it in the source code of PKI2FIDO at Sourceforge. |
|
Per discussion on WebAuthn working group call 11 August, this question has been asked and answered so closing the issue. |
Hello! I was a bit confused by step 21 in registering a new credential.
"Otherwise, use the X.509 certificates returned as the attestation trust path from the verification procedure to verify that the attestation public key either correctly chains up to an acceptable root certificate, or is itself an acceptable certificate (i.e., it and the root certificate obtained in Step 20 may be the same)."
How do we know we've reached an acceptable root certificate?
Do we need to make sure that the root certificate follows the format outlined in 8.2.1?
I believe I understand how to check if the attestation public key and the root certificate are the same. Are there other ways to see if an attestation is itself an acceptable certificate?
Thanks so much!
The text was updated successfully, but these errors were encountered: