- From: =JeffH via GitHub <sysbot+gh@w3.org>
- Date: Wed, 22 Nov 2017 17:21:11 +0000
- To: public-webauthn@w3.org
> @gmandyam assiduously wrote:
> >a) Re: 'none'. It seems to be potentially harmful to allow the client to provide "meaningless client-generated values" [...] My recommendation: assign default values for the AAGUID and the attestation for this option (e.g. all 1's for AAGUID and all 0's for attestation).
@emlun replied creatively:
> I agree, but instead suggest leaving the attestation statement out completely. For example, the attestation object could look like `{ "authData": [bytes], "fmt": "packed", "attStmt": {} }`,
that sounds relatively easily workable.
> or `{ "authData": [bytes], "fmt": "none" }` if we add `"none"` as an attestation statement format.
this approach seems like it'd require more spec surgery, ie, it looks to me like the [`attStmtTemplate` ](https://w3c.github.io/webauthn/#generating-an-attestation-object)would have to change to make the `attStmt` member optional. Plus defining the "none" attstn stmt format. Though, a side-effect of this would be one could have authnrs that just plain do not provide attestation.
--
GitHub Notification of comment by equalsJeffH
Please view or discuss this issue at https://github.com/w3c/webauthn/pull/693#issuecomment-346418410 using your GitHub account
Received on Wednesday, 22 November 2017 17:21:13 UTC