Re: [webauthn] RP guidelines should allow RP to not check attestation

On the other hand, verifying the signature but not the attestation of the authenticator model is already explicitly allowed in step 14:

>If the attestation statement attStmt successfully verified but is not trustworthy per step 12 above, the Relying Party SHOULD fail the registration ceremony.
>NOTE: However, if permitted by policy, the Relying Party MAY register the credential ID and credential public key but treat the credential as one with self attestation (see ยง5.3.3 Attestation Types). If doing so, the Relying Party is asserting there is no cryptographic proof that the public key credential has been generated by a particular authenticator model. See [FIDOSecRef] and [UAFProtocol] for a more detailed discussion.

Perhaps there is some confusion in what "attestation" means?

-- 
GitHub Notification of comment by emlun
Please view or discuss this issue at https://github.com/w3c/webauthn/issues/576#issuecomment-330633245 using your GitHub account

Received on Tuesday, 19 September 2017 18:42:59 UTC