W3C home > Mailing lists > Public > public-webauthn@w3.org > October 2017

Re: [webauthn] Allow RPs to choose between "required" and "optional" attestation in credentials.create()

From: Emil Lundberg via GitHub <sysbot+gh@w3.org>
Date: Wed, 11 Oct 2017 22:36:39 +0000
To: public-webauthn@w3.org
Message-ID: <issue_comment.created-335968664-1507761384-sysbot+gh@w3.org>
Correct me if I'm wrong here, but I question the premise - isn't the whole point of the spec that the RP trusts the authenticator but _not_ the client? If the RP doesn't care about the attestation signature, there's no guarantee that an authenticator is even involved in the first place. Web Crypto already provides APIs for generating asymmetric keys, so why would an RP use WebAuthn if they don't care whether the credential is actually backed by a trusted authenticator?

-- 
GitHub Notification of comment by emlun
Please view or discuss this issue at https://github.com/w3c/webauthn/issues/628#issuecomment-335968664 using your GitHub account
Received on Wednesday, 11 October 2017 22:36:37 UTC

This archive was generated by hypermail 2.4.0 : Tuesday, 5 July 2022 07:26:28 UTC