Re: [webauthn] Allow RPs to choose between "required" and "optional" attestation in credentials.create() from balfanz via GitHub on 2017-10-12 (public-webauthn@w3.org from October 2017)

From: balfanz via GitHub <sysbot+gh@w3.org>
Date: Thu, 12 Oct 2017 16:29:16 +0000
To: public-webauthn@w3.org
Message-ID: <issue_comment.created-336191537-1507825741-sysbot+gh@w3.org>

Just a couple of comments:

- Keeping in mind that these are not black-and-white issues, the RP *does* have to trust the client. If the client is malicious, it can exfiltrate the user's data, operate on the user's behalf, etc.

- Using a Privacy CA is not a change to webauthn. The spec already calls that out as a possible model. I think that what's happening here is that nobody has seriously looked into actually deploying one. Now that we are, we realize that we need to smooth out some rough edges around that attestation type.

-- 
GitHub Notification of comment by balfanz
Please view or discuss this issue at https://github.com/w3c/webauthn/issues/628#issuecomment-336191537 using your GitHub account

Received on Thursday, 12 October 2017 16:29:04 UTC