Re: [webauthn] Authnr sel aaguidlist

>What has changed to start mandating it for all implementations?
In the beginning of the WebAuthn spec process, some people were convinced that RPs wouldn't have the need to influence the authenticator selection.

At this stage, we already have seen that there is a need to the RP to influence the authenticator selection in order to improve the user experience.  As a consequence we have been adding the AuthenticatorSelectionCriteria object to the core specification.

The discussion regarding the fields in AuthenticatorSelectionCriteria shows that it is difficult to determine now what the right criteria for authenticator selection will be in the future.

So in my opinion there is substantial value for one generic method allowing the RP to formulate *any* rule for influencing the authenticator selection.  
More specifically, I am convinced that the ability for providing a list of authenticator model names (i.e. AAGUIDs) provides exactly that.  It allows the RP to use whatever set of criteria they want on the server side to generate such (prioritized) list and then make it easy for the platform to follow that list.

>Also, why is the AAGUID the right thing to filter on rather than something like a certificate in the attestation chain?

The AAGUID was introduced as an abstraction for the authenticator model name.  I think it is less bulky to send over a (potentially large) list of AAGUIDs than sending over a (potentially) even larger list of acceptable attestation certificates.
Note: One authenticator model might even have several attestation certificates in use (for the various batches of authenticator instances of such model).

GitHub Notification of comment by rlin1
Please view or discuss this issue at using your GitHub account

Received on Tuesday, 30 May 2017 10:19:40 UTC