jspωiki
WebAuthn Attestation

Overview#

WebAuthn Attestation is an Attestation implemented within Web Authentication API (WebAuthN) to attest to the provenance of an authenticator and the data it emits

WebAuthn Attestation statement is conveyed in an attestation object during Credential Enrollment including, for example: credential IDs, credential key pairs, Digital Signature counters, etc.

WebAuthn Attestation defines attestation formats used to validate FIDO Authenticators, uses FIDO2 credentials, and associated User Verification Methods which is similar to and could be mapped as Authentication Context Class to federation servers or other conditional/adaptive authentication systems.

Attestation Certificate Example#

Attestation Certificate (attestnCert) Example

Version: 3 (0x2)
Serial Number: 1918419690 (0x7258c2ea)
Signature Algorithm: sha256WithRSAEncryption
Issuer: CN = Yubico U2F Root CA Serial 457200631
Validity
Not Before: 2014-08-01T00:00:00
Not After: 2050-09-04T00:00:00
Subject: CN=Yubico U2F EE Serial 14803321578
Subject Public Key Info:
Public-Key: (256 bit)
pub:
04:a2:b0:39:93:22:54:31:9d:41:fa:48:54:d5:7c:a1:8d:eb:
69:cc:9b:3e:4d:81:ae:39:9f:32:3e:81:16:43:99:ef:2a:95:
14:67:3d:15:7c:ec:bf:b5:f0:bc:c7:89:08:53:ee:55:cf:3f:
1a:20:66:f4:d5:13:9b:93:8b:31:0b
Curve: secp256r1
X509v3 extensions:
1.3.6.1.4.1.41482.1.2 (YubiKey NEO):
Signature Algorithm: sha256WithRSAEncryption
bc:cc:1a:f9:0b:7b:95:78:18:d5:55:a4:33:71:6a:60:16:ac:
ed:cb:31:32:c3:41:0f:36:61:64:10:6c:23:d9:2a:b0:6c:5d:
1c:2c:b6:92:9a:d4:21:48:aa:2a:3a:f3:ae:53:89:3a:6a:a1:
40:ca:e9:32:65:93:15:3d:92:aa:00:fd:15:87:4b:02:32:94:
4c:ce:90:ef:11:98:ce:de:fe:a0:87:96:7c:6c:80:e6:b5:00:
09:e4:1d:a7:9c:82:f2:56:97:3b:0c:0e:ed:6a:3d:dd:52:b6:
73:34:c0:fc:bf:e6:d8:8c:a7:53:b1:92:7f:43:34:2c:b6:c7:
b0:20:f9:28:14:e2:11:46:da:ad:6b:48:b0:90:41:62:5f:f7:
30:47:5d:48:17:e5:12:19:c4:07:29:40:68:31:7e:b9:24:ff:
67:63:a0:f3:43:75:c7:a6:53:83:dd:b1:d4:38:7b:02:8b:63:
2a:05:95:3e:d5:f2:8e:ad:02:69:34:fd:30:f1:c0:50:a5:29:
3f:86:c5:53:9b:b5:22:19:6f:c5:1a:bc:6b:20:a5:df:a4:67:
c2:18:80:8a:0f:10:8c:7e:e5:8a:22:c8:6e:d0:78:cf:d2:91:
21:a3:00:17:d4:bb:35:a6:27:b6:4a:82:b7:f9:51:21:62:d9:
0e:15:12:ea

shows X509v3 extensions: 1.3.6.1.4.1.41482.1.2 (YubiKey NEO) indicates that the Authenticator Metadata can be located within the FIDO Alliance Metadata Service

More Information#

There might be more information for this subject on one of the following: