idea: "half-verifying" mode for attestations #105
Description
basically a mode that does allow for non/self attestation, while still preserving the integrity of those that do provide attestation:
- keep a list of MDS'd authenticators identifiers (AAGUID and subjectkey hash for U2F) somewhere (I have a Attestation check in one of my sandboxes that works by keeping the decoded JWT as json around, and create lookup tables for AAGUID and SPK-Hash towards their respective index in the MDS-json)
- on registration
- check if authenticator is on that list
- if yes
- gather the root certs for that specific authenticator
- check attestation against it
- if the attestation check fails, deny it, otherwise set a flag that can be retrieved along with the attestation data
- if no
- accept the registration
- give back attestation attestation data as "informational" only. (here one could potentially add data of known passkey providers to help users from e.g. https://github.com/passkeydeveloper/passkey-authenticator-aaguids )
- if yes
- check if authenticator is on that list
- if anything notable happens to authenticators a user is confirmed to have, the admin can inform users accordingly.
the biggest "issue" one has with validating attestations "in-line" is that one has to provide the root-CAs before knowing the potential AAGUID, which would make this approach impossible, which is why my little sandbox only does the registration without roots but attestation optionally active (which does check the attestation itself but not the certificate against anything) and I can check the certificates manually later with a "little" infodump script.