W3C home > Mailing lists > Public > public-webauthn@w3.org > October 2017

Re: [webauthn] Allow RPs to choose between "required" and "optional" attestation in credentials.create()

From: balfanz via GitHub <sysbot+gh@w3.org>
Date: Thu, 12 Oct 2017 16:29:16 +0000
To: public-webauthn@w3.org
Message-ID: <issue_comment.created-336191537-1507825741-sysbot+gh@w3.org>
Just a couple of comments:

- Keeping in mind that these are not black-and-white issues, the RP *does* have to trust the client. If the client is malicious, it can exfiltrate the user's data, operate on the user's behalf, etc.

- Using a Privacy CA is not a change to webauthn. The spec already calls that out as a possible model. I think that what's happening here is that nobody has seriously looked into actually deploying one. Now that we are, we realize that we need to smooth out some rough edges around that attestation type.

-- 
GitHub Notification of comment by balfanz
Please view or discuss this issue at https://github.com/w3c/webauthn/issues/628#issuecomment-336191537 using your GitHub account
Received on Thursday, 12 October 2017 16:29:04 UTC

This archive was generated by hypermail 2.4.0 : Tuesday, 5 July 2022 07:26:28 UTC