- From: Adam Langley via GitHub <sysbot+gh@w3.org>
- Date: Wed, 22 Nov 2017 17:15:19 +0000
- To: public-webauthn@w3.org
Adding a "none" attestation format might be interesting in the future but we are pondering providing a retrospective unblinding token in the no-attestation case, which we would need to be carried in the attestation data(*). > However, authenticatorData includes attestedCredentialData, which in turn includes "The AAGUID of the authenticator". Since AAGUID can be used to fingerprint the device, should it be left out if 'indirect' is selected and the aim is to provide a verifiable attestation statement to the RP? Eliminating, or not, the AAGUID is an underlying CTAP issue. Because a Privacy CA cannot learn the site that a user is registering with, it can only learn the hash of the signed data. That means that the signed data cannot be altered by a client without invalidating the signature by the Privacy CA and thus the AAGUID cannot be eliminated without co-operation from the token. Thus I think specifying how to remove the AAGUID would be premature at this point. (*) Without a Privacy CA the unblinding scheme needs to be asymmetric, which makes it considerably more complicated. Thus, as an aside, if any RPs who might consider the "none" scheme would be influenced by the ability to find, in the event that a security problem is disclosed for certain tokens, which of their users are using those tokens, please let me know. -- GitHub Notification of comment by agl Please view or discuss this issue at https://github.com/w3c/webauthn/pull/693#issuecomment-346416712 using your GitHub account
Received on Wednesday, 22 November 2017 17:15:22 UTC