[webauthn] FIDO U2F Attestation Statement Format needs to clarify that user handle will be empty from J.C. Jones via GitHub on 2017-12-07 (public-webauthn@w3.org from December 2017)

From: J.C. Jones via GitHub <sysbot+gh@w3.org>
Date: Thu, 07 Dec 2017 15:00:41 +0000
To: public-webauthn@w3.org
Message-ID: <issues.opened-280161012-1512658840-sysbot+gh@w3.org>

jcjones has just created a new issue for https://github.com/w3c/webauthn:

== FIDO U2F Attestation Statement Format needs to clarify that user handle will be empty ==
FIDO U2F devices have no mechanism to store a `userHandle` field, so if an RP passes a user handle to `make credential` and gets back a U2F attestation type, the RP must be prepared that subsequent calls to `get assertion` will not have a user handle.

I recommend modifing the last step of **Verification procedure** to:
> If successful, return attestation type Basic with the attestation trust path set to `x5c` _and the user handle set to an empty buffer_.


Please view or discuss this issue at https://github.com/w3c/webauthn/issues/715 using your GitHub account

Received on Thursday, 7 December 2017 15:00:53 UTC