-
Notifications
You must be signed in to change notification settings - Fork 166
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
define "self-signed basic attestation type" "SSBasic" #1499
Conversation
some authenticators in the wild return, on registration, an attestation certificate that is signed by the private key associated with the public key in the cert. Thus, the attestation certificate is essentially the "(CA) root certificate". this change defines this sort of attestation as "self-signed basic attestation", "SSBasic" for short.
Need to have a proper impact analysis and collect feedback from certified servers before this change is approved |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I think this is reasonable.
My only question is if we should have guidance for creating such a self signed certificate going forward. There are probably some things like making sure the certificate chains to itself, that would be useful for backwards compatibility.
I am not sure that WebAuthn needs to do that. In principal we can support new attestation formats like apple attestation, without first checking what existing Fido servers do. As long as this behavior fails in a safe way in servers, eg the worst that happens in existing servers is that they consider these attestations invalid, I don't see a problem. New servers will support it like the apple attestation. |
Please note that FIDO Alliance is in no way trying to dictate the work of this group and the comment is not our official stance on this topic. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I'm not sure how this is qualitatively different from any other Basic attestation. If the RP has the self-signed "root" certificate in its trust store, then it can already just verify the signature as usual, no? Presumably the trust store is indexed by X.509 subject name and the self-signed certificate has identical subject and issuer names, so the RP would just look up a second copy of the same certificate and see a valid signature by the trusted copy. Conversely if the self-signed cert is not in the trust store, then the RP would fail to look it up and thus not trust the signature. So why does this special case need its own category?
Yes, it may not merit its own attestation type. Perhaps clarifying that an authenticator's "attestation root certificate" (as made available by the authnr's manufacturer) may be the same as the authnr-returned attestation cert, and can be "verified" by either a byte-by-byte comparison or verifying the signature, is sufficient. As it turns out, the FIDO Metadata Statement spec allows for such self-signed attestation certificates. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
We shouldn't need a new attestation type here. Self-signed should be usable with Basic, or we can add clarifications as necessary.
am closing this given #1499 (review), #1499 (review), and #1499 (comment). |
some authenticators in the wild return, on registration, an attestation certificate that is signed by the private key associated with the public key in the cert. Thus, the attestation certificate is essentially the "(CA) root certificate".
this change defines this sort of attestation as "self-signed basic attestation", "SSBasic" for short.
fixes #1498
Preview | Diff