Re: [webauthn] Adding a choice for RP to express preferences for attestation types from Emil Lundberg via GitHub on 2017-10-18 (public-webauthn@w3.org from October 2017)

From: Emil Lundberg via GitHub <sysbot+gh@w3.org>
Date: Wed, 18 Oct 2017 08:09:23 +0000
To: public-webauthn@w3.org
Message-ID: <issue_comment.created-337495968-1508314162-sysbot+gh@w3.org>

I see, that makes sense. On the other hand, how many RPs are likely to directly implement WebAuthn themselves as opposed to using a library for generating and verifying requests? It would be equally trivial to add a flag to ignore attestation, and it would be hard to miss if the library by default has an empty trust store and therefore rejects all attestations. Compare with how `curl` by default rejects untrusted server certificates but can be configured to trust additional certificates or skip certificate validation.

-- 
GitHub Notification of comment by emlun
Please view or discuss this issue at https://github.com/w3c/webauthn/pull/636#issuecomment-337495968 using your GitHub account

Received on Wednesday, 18 October 2017 08:09:25 UTC