Re: [webauthn] Allow RPs to choose between "required" and "optional" attestation in credentials.create() from Emil Lundberg via GitHub on 2017-10-11 (public-webauthn@w3.org from October 2017)

From: Emil Lundberg via GitHub <sysbot+gh@w3.org>
Date: Wed, 11 Oct 2017 22:36:39 +0000
To: public-webauthn@w3.org
Message-ID: <issue_comment.created-335968664-1507761384-sysbot+gh@w3.org>

Correct me if I'm wrong here, but I question the premise - isn't the whole point of the spec that the RP trusts the authenticator but _not_ the client? If the RP doesn't care about the attestation signature, there's no guarantee that an authenticator is even involved in the first place. Web Crypto already provides APIs for generating asymmetric keys, so why would an RP use WebAuthn if they don't care whether the credential is actually backed by a trusted authenticator?

-- 
GitHub Notification of comment by emlun
Please view or discuss this issue at https://github.com/w3c/webauthn/issues/628#issuecomment-335968664 using your GitHub account

Received on Wednesday, 11 October 2017 22:36:37 UTC