W3C home > Mailing lists > Public > public-webauthn@w3.org > October 2017

Re: [webauthn] Adding a choice for RP to express preferences for attestation types

From: Adam Langley via GitHub <sysbot+gh@w3.org>
Date: Wed, 18 Oct 2017 03:28:50 +0000
To: public-webauthn@w3.org
Message-ID: <issue_comment.created-337450187-1508297329-sysbot+gh@w3.org>
At the webauthn level, we are requesting something with a slightly different direction than your `PrivacyPreference`: we feel that what would be helpful is if an RP can indicate whether it cares about attestation at all. Because, if not, clients may be able to avoid doing work, whether that involves a privacy CA, ECDAA signatures etc.

The experience with U2F, so far, has been that the vast majority of sites do not care about attestation (measured by whether it's possible to register a token with a dummy attestation certificate). For the current set of RPs, that may change because they're large entities. But, numerically, the majority of RPs (if we are successful) will be small Django, Wordpress, node.js, etc sites that are unlikely to want to maintain the infrastructure needed for attestation, nor to care. Thus it seems that not worrying about attestation should be the default, as setting a flag at registration time is trivial for sites that do care, but adding a flag as an optimisation is the sort of thing that smaller deployment may miss.

I hope that helps explain the thinking behind this pull request.

-- 
GitHub Notification of comment by agl
Please view or discuss this issue at https://github.com/w3c/webauthn/pull/636#issuecomment-337450187 using your GitHub account
Received on Wednesday, 18 October 2017 03:28:52 UTC

This archive was generated by hypermail 2.4.0 : Tuesday, 5 July 2022 07:26:28 UTC