brandonweeks / draft-bweeks-acme-device-attest Goto Github PK
View Code? Open in Web Editor NEWLicense: Other
License: Other
I've been trying to follow the webauthn spec's tpm
attestation. But at what point of the flow do we prove that the AK
and the EK
are on the same device here? It only seems to check that the AK
signed the challenge and that the Attestation CA signed the AK
but it does not perform the activation handshake that proves that the EK and AK are on the same cryptographic device before signing the AK. They just say "It's the responsibility of the Attestation CA to check that the EK and AK are there") Is that something that is planned to be added to this spec? Or did I read over it? as it seems like an important part of attestation to actually check that the device is genuine.
ACME RFC section-6.7 defines some standard errors. A device attestation error should be defined, something like:
Type | Description |
---|---|
badAttestationStatement | Attestation statement cannot be verified |
I'm interested in using Apple DeviceCheck with this spec as DeviceCheck exists today and can be used in non-enterprise settings.. Problem is that DeviceCheck[0] adheres to Webauthn more strictly than this spec and thus it seems impossible to combine at the moment. The problem lies in the redefinition of attToBeSigned
. Namely Devicecheck will concatenate the authData
instead of ignorintg it
Instead of defining attToBeSigned = sha256(key authorization)
it defines it as :
attToBeSigned = authData || sha256(keyAuthorization)
I think we could adopt the spec in a backwards compatible way with the current spec to say:
authData MAY be present if authData is present it MUST be prepended to attToBeSigned
This would make Apple DeviceCheck[0] compatible with this spec.
[0] - https://developer.apple.com/documentation/devicecheck/validating_apps_that_connect_to_your_server
A declarative, efficient, and flexible JavaScript library for building user interfaces.
๐ Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
The Web framework for perfectionists with deadlines.
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. ๐๐๐
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
We are working to build community through open source technology. NB: members must have two-factor auth.
Open source projects and samples from Microsoft.
Google โค๏ธ Open Source for everyone.
Alibaba Open Source for everyone
Data-Driven Documents codes.
China tencent open source team.