Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Clarify validation step for packed attestation certificate for RPs. #2000

Merged
merged 2 commits into from
Nov 29, 2023
Merged

Clarify validation step for packed attestation certificate for RPs. #2000

Changes from all commits
Commits
Show all changes
2 commits
Select commit Hold shift + click to select a range
d13f46a
Clarify validation step for packed attestation certificate for RPs. A…
sbweeden Nov 22, 2023
73eb670
Update index.bs
sbweeden Nov 29, 2023
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
4 changes: 4 additions & 0 deletions index.bs
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -5890,6 +5890,10 @@ The attestation certificate MUST have the following fields/extensions:
`1.3.6.1.4.1.45724.1.1.4` (`id-fido-gen-ce-aaguid`) MUST be present, containing the AAGUID as a 16-byte OCTET STRING.
The extension MUST NOT be marked as critical.

As [=[RPS]=] may not know if the attestation root
certificate is used for multiple authenticator models, it is suggested that [=[RPS]=] check if the extension
is present, and if it is, then validate that it contains that same AAGUID as presented in the [=attestation object=].

Note that an X.509 Extension encodes the DER-encoding of the value in an OCTET STRING.
Thus, the AAGUID MUST be wrapped in <i>two</i> OCTET STRINGS to be valid. Here is a sample, encoded Extension structure:

Expand Down