[webauthn] Errors for attestations. (#1697) from John Bradley via GitHub on 2022-02-09 (public-webauthn@w3.org from February 2022)

From: John Bradley via GitHub <sysbot+gh@w3.org>
Date: Wed, 09 Feb 2022 19:22:57 +0000
To: public-webauthn@w3.org
Message-ID: <issues.opened-1128934702-1644434576-sysbot+gh@w3.org>

ve7jtb has just created a new issue for https://github.com/w3c/webauthn:

== Errors for attestations. ==
RP currently have 4 options for requesting attestation.
enum [AttestationConveyancePreference] {
    ["none"],
    ["indirect"],
    ["direct"],
    ["enterprise"]
};

In general, we want a RP to be able to request any one of those and get back a response.

I think there is a question over what happens if the authenticator supports no attestation.
For CTAP2 authenticators they would always support at least "self" or none with no AAGUID.
I believe the correct behaviour for a platform authenticator would be to return "self" or none if it doesn't support anything else.  The browser could also provide none.

I think we want to avoid forcing RP to sniff platforms to decide if it is safe to ask for direct.

It is possible that the RP doesn't specify an attachment hint and wants an attestation if it is supported by an external authenticator or is willing to take none from a platform authenticator.  

If the platform always errors when seeing direct it forces the RP to create two separate flows. 

I can see that we were perhaps not explicit enough about how platforms deal with this situation. 



Please view or discuss this issue at https://github.com/w3c/webauthn/issues/1697 using your GitHub account


-- 
Sent via github-notify-ml as configured in https://github.com/w3c/github-notify-ml-config

Received on Wednesday, 9 February 2022 19:22:59 UTC