Re: [webauthn] Adding a choice for RP to express preferences for attestation types

@rlin1 wrote:
> Proposal: 3 different vaues:
low-cost (i.e. none)
Privacy-CA
verifiable attestation as generated by the authenticator.

@akshayku wrote:
> direct - indicates that the [=[RP]=] requires to receive the attestation directly
from the authenticator. In this case, the Platform MUST provide non-modified attestation statement from the authenticator. Platform MAY ask for user consent in privacy sensitive modes of operation such as Incognito or Private browsing,

combining the above and adding some polishing yields:

none:  [ some form of self-attestation ]
proxied: [ google privacy CA proposal ]
direct: the client platform MUST provide the [=attestation object=], as generated by the [=authenticator=], to the [=[RP]=], unless operating in a privacy sensitive operational mode such as Incognito or Private browsing. In the latter case, the client platform MAY prompt for [=user consent=], and substitute none or proxied if the user denies consent. Whether none or proxied may be established by local user configuration setting, or by enterprise policy. 

the above obviously needs further polishing and thought.

@rolf noted:
> We still have to decide whether low-cost means self attestation (generated by Authnr) or some public key generated by the user agent.

yes.

@nadalin wrote:
> I don't think this is fully thought out yet.

agreed.  

-- 
GitHub Notification of comment by equalsJeffH
Please view or discuss this issue at https://github.com/w3c/webauthn/pull/636#issuecomment-343592408 using your GitHub account

Received on Friday, 10 November 2017 21:30:29 UTC