Re: [webauthn] Allow RPs to choose between "required" and "optional" attestation in credentials.create() from Emil Lundberg via GitHub on 2017-10-18 (public-webauthn@w3.org from October 2017)

From: Emil Lundberg via GitHub <sysbot+gh@w3.org>
Date: Wed, 18 Oct 2017 10:51:18 +0000
To: public-webauthn@w3.org
Message-ID: <issue_comment.created-337550362-1508323877-sysbot+gh@w3.org>

Ok, I agree that there are valid use cases for RPs to not care about attestation.

@balfanz Yes, you're right. I hadn't considered that the client, even without direct access to the private key, can make the authenticator generate user-verified assertions for something completely different than the user intended (assuming the authenticator has no display of its own). I concede that my argument is invalid. :)

-- 
GitHub Notification of comment by emlun
Please view or discuss this issue at https://github.com/w3c/webauthn/issues/628#issuecomment-337550362 using your GitHub account

Received on Wednesday, 18 October 2017 10:51:22 UTC