Do major browsers support Enterprise Attestation feature?
313 views
Skip to first unread message
Frank Wang
Jun 21, 2022, 11:58:24 PM6/21/22
to FIDO Dev (fido-dev)
Hello,
We are a manufacturer of FIDO authenticator. We've recently completed the development of Enterprise Attestation feature. In the FIDO registration test, we set attestation to enterprise in calling the WebAuthn API - credentials.create, and the authenticator includes the ep Option ID (set to true) when replying to authenticatorGetInfo. However, when testing with Chrome, we found that the parameter enterpriseAttestation (0x0A) did not appear in the authenticatorMakeCredential (0x01) command. Therefore, we cannot continue testing right now.
I would like to ask if the above situation is caused by Chrome not supporting Enterprise Attestation feature or because of some setting errors, and do major browsers support Enterprise Attestation feature? Thanks.
BR,
Frank
nuno sung
Jun 22, 2022, 9:25:36 AM6/22/22
to FIDO Dev (fido-dev), dh66...@gmail.com
My test with chrome M103 on macOS or win10/win11 w/ disabling feature WebAuthenticationUseNativeWinApi can work well
And for the chromium on windows environment to use windows' webauthn.dll, it depends on the win platform's api version it can support, https://github.com/microsoft/webauthn/blob/master/webauthn.h
My win11 22H2 build22621 and dev build22538 with MS-Edge 102 can work too, so they should be at least WEBAUTHN_API_VERSION_4.
dh66...@gmail.com 在 2022年6月22日 星期三上午11:58:24 [UTC+8] 的信中寫道:
Frank Wang
Jun 27, 2022, 5:57:49 AM6/27/22
to FIDO Dev (fido-dev), nuno sung, Frank Wang
Hi Nuno,
Now we have another question, how can we receive the enterpriseAttestation parameter value is 2 (platform-managed enterprise attestation)? This is the parameter value we really want.
Thanks for your prompt response to my question. We've successfully received the enterpriseAttestation (0x0A) parameter with a value of 1 (vendor-facilitated enterprise attestation) on an authenticatorMakeCredential (0x01) command after disabling feature WebAuthenticationUseNativeWinApi in our test with Chrome.
Now we have another question, how can we receive the enterpriseAttestation parameter value is 2 (platform-managed enterprise attestation)? This is the parameter value we really want.
BR,
Frank
nuno sung 在 2022年6月22日 星期三晚上9:25:36 [UTC+8] 的信中寫道:
nuno sung
Jun 27, 2022, 7:27:20 AM6/27/22
to FIDO Dev (fido-dev), dh66...@gmail.com, nuno sung
Hi Frank,
I think there is no direct way to let chromium based browsers to use the enterprise value 2 case through webauthn's option.
You can see the enumset in AttestationConveyancePreference and device::AttestationConveyancePreference are different.
The only possible way is to use https://chromeenterprise.google/policies/#SecurityKeyPermitAttestation
(p.s. my test on windows is no need to put the scheme and :// in value, i.e. "https://' )
But this also means you need to be able to deploy the chrome with the policy settings onto your target machines first.
BR,
Nuno
dh66...@gmail.com 在 2022年6月27日 星期一下午5:57:49 [UTC+8] 的信中寫道:
Adam Langley
Jun 27, 2022, 12:48:17 PM6/27/22
to FIDO Dev (fido-dev), nuno sung, dh66...@gmail.com
There is also the command-line switch --webauthn-permit-enterprise-attestation which takes a comma-separated list of origin strings (e.g. https://www.example.com) and allows enterprise attestation for requests on those origins.
Cheers
AGL
Reply all
Reply to author
Forward
0 new messages