W3C home > Mailing lists > Public > public-webauthn@w3.org > October 2017

Re: [webauthn] Allow RPs to choose between "required" and "optional" attestation in credentials.create()

From: Emil Lundberg via GitHub <sysbot+gh@w3.org>
Date: Wed, 18 Oct 2017 10:51:18 +0000
To: public-webauthn@w3.org
Message-ID: <issue_comment.created-337550362-1508323877-sysbot+gh@w3.org>
Ok, I agree that there are valid use cases for RPs to not care about attestation.

@balfanz Yes, you're right. I hadn't considered that the client, even without direct access to the private key, can make the authenticator generate user-verified assertions for something completely different than the user intended (assuming the authenticator has no display of its own). I concede that my argument is invalid. :)

GitHub Notification of comment by emlun
Please view or discuss this issue at https://github.com/w3c/webauthn/issues/628#issuecomment-337550362 using your GitHub account
Received on Wednesday, 18 October 2017 10:51:22 UTC

This archive was generated by hypermail 2.4.0 : Tuesday, 5 July 2022 07:26:28 UTC