Re: [webauthn] Allow RPs to choose between "required" and "optional" attestation in credentials.create()

Correct me if I'm wrong here, but I question the premise - isn't the whole point of the spec that the RP trusts the authenticator but _not_ the client? If the RP doesn't care about the attestation signature, there's no guarantee that an authenticator is even involved in the first place. Web Crypto already provides APIs for generating asymmetric keys, so why would an RP use WebAuthn if they don't care whether the credential is actually backed by a trusted authenticator?

GitHub Notification of comment by emlun
Please view or discuss this issue at using your GitHub account

Received on Wednesday, 11 October 2017 22:36:37 UTC