-
Notifications
You must be signed in to change notification settings - Fork 21
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Key Attestation #270
Comments
The Wallet instance has two types of keys: (1) A set of Cryptographic Hardware Keys which it has throughout its lifetime. Does the OEM key specifies the use of X.509? We don't have any mention about this in the specs. |
When we read "public key of the Wallet Hardware" the key is the "Cryptographic Hardware Key" ? Does the Device Integrity Service (DIS) be able to extract the public key from the Wallet ? Where in the text that the Wallet sends it in a message to the DIS? |
The Wallet Instance sends hardware_key_tag to the Wallet Provider backend but the Wallet Provider stores Cryptographic Hardware keys. How is that possible ? |
There are places in the text when we start using the abbreviation WSCD without a definition or a reference to a definition. |
The answer can be found in the "Wallet Instance Initialization and Registration" section, specifically in steps 8 and 9. In step 8, the Device Integrity Service (DIS) creates a Key Attestation linked to the provided "challenge" and the public key of the Wallet Hardware. In step 9, the Wallet Instance sends the previously created key attestation and the cryptographic hardware key tag to the Wallet Provider. This process eliminates the need to send the Wallet Hardware public key directly, as it is already included in the key attestation. The hardware_key_tag serves as a reference or identifier for the corresponding Cryptographic Hardware key stored by the Wallet Provider. Therefore, the Wallet Provider can associate the received hardware_key_tag with the appropriate Cryptographic Hardware key in its storage. |
The short answer is yes, but the Key Attestation argument must be expanded. If we use the term Key Attestation as the Strongbox Keymaster feature, the answer is also yes and we can get more information about it from the official Andoid documentation https://developer.android.com/privacy-and-security/security-key-attestation#attestation-v4 If we improperly use the term "Key Attestation" for iOS, it's essential to specify that it's the DeviceCheck services that offer the key attestation feature. This feature is named "attestKey," and for further details, we can consult the official iOS documentation.
|
Android Then the Attestation Certificate, compliant with the X.509 standard, is the digital certificate used to attest to the validity of a cryptographic key, providing verifiable evidence of its properties and origin. iOS |
To answer the first question: To answer the second question: To answer the third question: |
These considerations should also be added: #339 |
See also: #337 |
…a/eudi-wallet-it-docs into key-attestation-issue-#270
…a/eudi-wallet-it-docs into key-attestation-issue-#270
What's in the Key Attestation is defined by the device manufacturer ?
The text was updated successfully, but these errors were encountered: