W3C home > Mailing lists > Public > public-webauthn@w3.org > October 2017

Re: [webauthn] Adding a choice for RP to express preferences for attestation types

From: Emil Lundberg via GitHub <sysbot+gh@w3.org>
Date: Wed, 18 Oct 2017 08:23:49 +0000
To: public-webauthn@w3.org
Message-ID: <issue_comment.created-337500660-1508315028-sysbot+gh@w3.org>
While we're at it, why not (optionally) provide the client with more precise information about attestation preferences? The RP could send a list naming the attestation types it's willing to accept, for example `attestation: ['self', 'privacy-ca', 'none']`. The client can then choose which type to return, depending on what the authenticator supports of course. If this list contains `none`, that's equivalent to the suggested `low-cost` value meaning the RP won't care if the response doesn't even have an attestation statement. `verifiable` corresponds to this list containing at least one element and not containing `self` or `none`.

I suppose one argument against it is that it would be easier to inadvertently add `self` or `none` to that list - because "hey, let's accept them all!" or something - than to inadvertently set `attestation: 'low-cost'`.

-- 
GitHub Notification of comment by emlun
Please view or discuss this issue at https://github.com/w3c/webauthn/pull/636#issuecomment-337500660 using your GitHub account
Received on Wednesday, 18 October 2017 08:23:51 UTC

This archive was generated by hypermail 2.4.0 : Tuesday, 5 July 2022 07:26:28 UTC