- From: Emil Lundberg via GitHub <sysbot+gh@w3.org>
- Date: Wed, 18 Oct 2017 08:23:49 +0000
- To: public-webauthn@w3.org
While we're at it, why not (optionally) provide the client with more precise information about attestation preferences? The RP could send a list naming the attestation types it's willing to accept, for example `attestation: ['self', 'privacy-ca', 'none']`. The client can then choose which type to return, depending on what the authenticator supports of course. If this list contains `none`, that's equivalent to the suggested `low-cost` value meaning the RP won't care if the response doesn't even have an attestation statement. `verifiable` corresponds to this list containing at least one element and not containing `self` or `none`. I suppose one argument against it is that it would be easier to inadvertently add `self` or `none` to that list - because "hey, let's accept them all!" or something - than to inadvertently set `attestation: 'low-cost'`. -- GitHub Notification of comment by emlun Please view or discuss this issue at https://github.com/w3c/webauthn/pull/636#issuecomment-337500660 using your GitHub account
Received on Wednesday, 18 October 2017 08:23:51 UTC