-
Notifications
You must be signed in to change notification settings - Fork 166
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Packed and U2F Attestation Statements' verifications don't differentiate between Basic and Privacy CA Attestation Types #656
Comments
I'm not sure having Privacy CA as a separate attestation type is very meaningful, as like you say (and @balfanz notes in #628 (comment)), to the RP it looks and act the same as Basic Attestation. I would suggest merging the two concepts, but I'm not sure how that would affect the TPM attestation statement format which seems to be intimately connected to the Privacy CA model. |
In the view point of RP, RP cannot differentiate between Basic and Privacy CA from the attestation data. Since both attestation data have same structure having |
@jcjones notes in webauthn f2f tpac 2017-11-09 that we can push this to PR, we can address it with non-nomative editorial language. the present text is misleading. |
The verification procedures still need to be updated, but I fixed the omission of Privacy CA for U2F in 5f4f3e6 |
fyi: "privacy CA" is now "attestation CA", I believe. |
Per the 28-Feb-18 call, @jcjones will verify that this has been addressed. |
I confirm this has been addressed. Closing this issue. |
The Packed Attestation Statement Format is valid for all Attestation Types.
webauthn/index.bs
Lines 2313 to 2317 in b8c6027
However, in its verification procedure it assumes that if
x5c
is present, that attestations are typeBasic
:webauthn/index.bs
Lines 2387 to 2393 in b8c6027
However, that's what the
Privacy CA
attestation will look like, too.Similarly, it's technically feasible for a browser to use the
Privacy CA
option for U2F, and we might want to do so for - say - private browsing mode. Yet U2F Attestation Format suffers the same issue -- in addition, it excludesPrivacy CA
which seems wrong, as it'd be useful:webauthn/index.bs
Lines 2686 to 2690 in b8c6027
The text was updated successfully, but these errors were encountered: