AttestationRootCertificates in Android Key Attestation (UAF 1.1)

181 views
Skip to first unread message

Daichi Ogawa

unread,
Mar 30, 2018, 3:53:58 AM3/30/18
to FIDO Dev (fido-dev)
Hi,

What is the difference between "Metadata.AttestationRootCertificates" (hereinafter called "Certs") and "Metadata.SupportedExtensions.Data.AttestationRootCertificates" (hereinafter called "ExtCerts") ?

 

I thought ExtCerts is referred during only this "Android Key Attestation" processing, but there is no clear description about that.

 

Which does below "attestationRootCertificate" mean, Certs or ExtCerts or both?

 

==Quotation============================

5.2 Android Key Attestation

~~

Server processing

~~

2.it must verify the syntax of the key attestation extension and it must perform RFC5280 compliant chain validation of the entries in the array to one attestationRootCertificate specified in the Metadata Statement.

======================================


https://fidoalliance.org/specs/fido-uaf-v1.1-ps-20170202/fido-uaf-reg-v1.1-ps-20170202.html#android-key-attestation

Rolf Lindemann

unread,
Mar 30, 2018, 8:32:55 PM3/30/18
to Daichi Ogawa, FIDO Dev (fido-dev)

Hi,

 

The difference is a rather formal one:

In Metadata.AttestationRootCertificates you find the attestation root certificates that are relevant for an attestation format defined in the assertion schemes (see https://fidoalliance.org/specs/fido-uaf-v1.1-ps-20170202/fido-uaf-reg-v1.1-ps-20170202.html#assertion-schemes or https://fidoalliance.org/specs/fido-u2f-v1.2-ps-20170411/fido-u2f-raw-message-formats-v1.2-ps-20170411.html#registration-messages).

Examples are attestation root certificates used for FIDO “full basic attestation”.

 

On the other hand in the field Metadata.SupportedExtensions.Data you find specific information related to an *extension*.  Some extensions (e.g. Android Key Attestation, see https://fidoalliance.org/specs/fido-uaf-v1.1-ps-20170202/fido-uaf-reg-v1.1-ps-20170202.html#android-key-attestation) include signed data which is chained to a different root certificate.

Such root certificate is specified in the extension specific contents included in Metadata.SupportedExtensions.Data.

 

Kind regards,

  Rolf

--
You received this message because you are subscribed to the Google Groups "FIDO Dev (fido-dev)" group.
To unsubscribe from this group and stop receiving emails from it, send an email to fido-dev+u...@fidoalliance.org.
To post to this group, send email to fido...@fidoalliance.org.
Visit this group at https://groups.google.com/a/fidoalliance.org/group/fido-dev/.
To view this discussion on the web visit https://groups.google.com/a/fidoalliance.org/d/msgid/fido-dev/1ce78b0f-20bf-4cd9-8b39-97bb19643752%40fidoalliance.org.

Daichi Ogawa

unread,
Apr 1, 2018, 10:02:39 PM4/1/18
to FIDO Dev (fido-dev), daich...@gmail.com
Thanks for replying.

In other word, "attestationRootCertificate specified in the Metadata Statement" in the specification(https://fidoalliance.org/specs/fido-uaf-v1.1-ps-20170202/fido-uaf-reg-v1.1-ps-20170202.html#android-key-attestation)  means "Metadata.SupportedExtensions.Data" , doesn't it?



2018年3月31日土曜日 9時32分55秒 UTC+9 Rolf Lindemann:
Reply all
Reply to author
Forward
0 new messages