- From: Emil Lundberg via GitHub <sysbot+gh@w3.org>
- Date: Wed, 22 Nov 2017 17:54:44 +0000
- To: public-webauthn@w3.org
@equalsJeffH >Though, a side-effect of this would be one could have authnrs that just plain do not provide attestation. Yeah. It looks like an implicit assumption up until now has been that attestation statements are created exclusively by authenticators, but with the `"indirect"` feature we're opening up for the client and/or a proxy to also create their own attestation statements. We could perhaps forbid authenticators from using a `none` attestation statement format, but it could definitely be confusing. On the other hand I wouldn't want to complicate any of the existing formats with additional optional behaviour, like making members optional in the `packed` format. Would it be possible to do something like this (pseudo-spec)? >If the RP sends `attestation: "none"`, the client and/or authenticator MAY ignore any requirements on the `attStmt` member of the attestation object. Overriding behaviour elsewhere like that could of course be quite confusing in its own way instead. -- GitHub Notification of comment by emlun Please view or discuss this issue at https://github.com/w3c/webauthn/pull/693#issuecomment-346427545 using your GitHub account
Received on Wednesday, 22 November 2017 17:54:47 UTC