Re: [webauthn] build on Adding a choice for RP to express preferences for attestation types from Emil Lundberg via GitHub on 2017-11-22 (public-webauthn@w3.org from November 2017)

From: Emil Lundberg via GitHub <sysbot+gh@w3.org>
Date: Wed, 22 Nov 2017 09:54:14 +0000
To: public-webauthn@w3.org
Message-ID: <issue_comment.created-346299747-1511344451-sysbot+gh@w3.org>

>a) Re: 'none'. It seems to be potentially harmful to allow the client to provide "meaningless client-generated values" [...] My recommendation: assign default values for the AAGUID and the attestation for this option (e.g. all 1's for AAGUID and all 0's for attestation).

I agree, but instead suggest leaving the attestation statement out completely. For example, the attestation object could look like `{ "authData": [bytes], "fmt": "packed", "attStmt": {} }`, or `{ "authData": [bytes], "fmt": "none" }` if we add `"none"` as an attestation statement format.

-- 
GitHub Notification of comment by emlun
Please view or discuss this issue at https://github.com/w3c/webauthn/pull/693#issuecomment-346299747 using your GitHub account

Received on Wednesday, 22 November 2017 09:54:17 UTC