lbuchs
Attestation
On my Apple phone it says attestation format is coming through as "none". But my Windows TPM says "packed", neither one can verify the provenance of the device. What gives?
I am not sure if apple even allows using attested single device passkeys by now. iirc they only use synced passkeys, which generally speaking do not use any attestation, at best they might use a self attestation (which is basically only for informational purpose as it cannot prove anything), while on windows as far as I am aware synced platform passkeys are not even a thing yet.
@My1 I think it used be trapped in secure enclave, but it's now can leave the device, at least in an Apple
kinda. the earlier apple attested credentials iirc still cannot leave as that would be a violation of the attestation.
but newer passkeys are not stored "to" the enclave specifically, but rather to the apple keychain (which sure is secured by the enclave but not in the same way as earlier, single device passkeys were, and as they are on the keychain they can be synced.
and for synced passkeys the standard is either no attestation or self attestation with an AAGUID that basically is merely of informational value. an attestation could not really be done with synced passkeys as you'd either need a system where e.g. apple servers do the attestation live or you'd need to change the way the enclave attests keys as i heavily assume that the enclave such as other more general use secure elements only really do attestation of keys when the key was generated on them and is stored in a way it cannot just be extracted to other places and is bound to it.
it's the same with android passkeys btw.