npesic
commented
7 years ago Thank you for your interest in the FIDO UAF, and our open source project.
You have a valid point. It would be the right thing to use Surrogate Attestation as described here: https://fidoalliance.org/specs/fido-uaf-v1.1-id-20170202/fido-uaf-protocol-v1.1-id-20170202.html#surrogate-basic-attestation
If you like to contribute this code it would be very welcome.
Thanks, Neb.
At least in the example client app, the certificate is hardcoded and used only during registration, so it doesn't seem to add any security when using it to sign the attestation.
It seems like it would make more sense to sign the attestation with the private key corresponding to the public key that is sent at registration, right?
If so we can send a PR making that change :)