Yes that is a perfectly viable. If you do not intend to use the Google PlayStore you don't need a Google signed attestation key. Note, however, that the attestation certificates issued by keymaster are checked by the applications' service back ends. So if you allow apps from third parties which use key attestation, their back ends may not trust your certificates and reject the attestation certificates issued by your keymaster implementation. You may need to negotiate with these vendors to white list your CA. But if you control all of the apps it is up to you which CAs to trust.
On Tuesday, October 23, 2018 at 1:09:37 PM UTC-7, davi...@ff.com wrote: > > Janis, thank you for the reply. Good to know that we don't have to use > Google root CA for CTS test. > Our platform doesn't allow application installation from Google Playstore, > which means all the Apps are controlled and signed by ourselves. Can I > assume that in this case these Apps can also use our own cert-chain for > Keymaster authority check? > > > On Tuesday, October 23, 2018 at 11:18:26 AM UTC-7, Janis wrote: >> >> Hi, >> >> CTS and VTS test do not check the origin of the root CA. So you can pass >> these tests with a certificate chain rooted in a self signed CA. Once you >> passed CTS and VTS you can get the Google signed keys. Please reach out to >> your technical account manager at Google for the right process. >> >> With kind regards, >> Janis >> >> On Wednesday, October 17, 2018 at 5:51:53 PM UTC-7, davi...@ff.com wrote: >>> >>> Get information from QCOM datasheet "Attestation key provision is >>> mandatory on new android O release, customer need do key attestation >>> before the CTS/VTS test. ", however, the information from Google is we >>> have to pass CTS before applying key attestation. >>> Which one is correct? Which department should we reach to to apply the >>> attestation key? >>> >> -- You received this message because you are subscribed to the Google Groups "Android Security Discussions" group. To unsubscribe from this group and stop receiving emails from it, send an email to android-security-discuss+unsubscr...@googlegroups.com. Visit this group at https://groups.google.com/group/android-security-discuss. For more options, visit https://groups.google.com/d/optout.
