Ok, I agree that there are valid use cases for RPs to not care about attestation. @balfanz Yes, you're right. I hadn't considered that the client, even without direct access to the private key, can make the authenticator generate user-verified assertions for something completely different than the user intended (assuming the authenticator has no display of its own). I concede that my argument is invalid. :) -- GitHub Notification of comment by emlun Please view or discuss this issue at https://github.com/w3c/webauthn/issues/628#issuecomment-337550362 using your GitHub accountReceived on Wednesday, 18 October 2017 10:51:22 UTC
This archive was generated by hypermail 2.4.0 : Tuesday, 5 July 2022 07:26:28 UTC