Re: [webauthn] build on Adding a choice for RP to express preferences for attestation types from gmandyam via GitHub on 2017-11-21 (public-webauthn@w3.org from November 2017)

From: gmandyam via GitHub <sysbot+gh@w3.org>
Date: Tue, 21 Nov 2017 23:29:53 +0000
To: public-webauthn@w3.org
Message-ID: <issue_comment.created-346195100-1511306990-sysbot+gh@w3.org>

a) Re:  'none'.  It seems to be potentially harmful to allow the client to provide "meaningless client-generated values" for attestation/AAGUID since what constitutes 'meaningless' is ambiguous.  Poorly-designed clients can provide legitimate AAGUID's or replayed attestations while claiming they are meaningless.  My recommendation:  assign default values for the AAGUID and the attestation for this option (e.g. all 1's for AAGUID and all 0's for attestation).

b) Re: 'indirect'.  "There is no guarantee that the  Relying Party  will obtain a verifiable  attestation statement  in this case."  I take this to mean that it is possible for the RP to receive a verifiable attestation when "indirect" is selected.  What does a verifiable attestation statement look like in this case?  Would it conform to one of the pre-registered attestation formats?  Or it is yet to be defined?


-- 
GitHub Notification of comment by gmandyam
Please view or discuss this issue at https://github.com/w3c/webauthn/pull/693#issuecomment-346195100 using your GitHub account

Received on Tuesday, 21 November 2017 23:29:54 UTC