- From: Emil Lundberg via GitHub <sysbot+gh@w3.org>
- Date: Mon, 02 Jul 2018 16:06:33 +0000
- To: public-webauthn@w3.org
emlun has just created a new issue for https://github.com/w3c/webauthn: == MUST authenticators still perform self attestation? == [ยง6.3. Attestation][att] states (emphasis added): >**Authenticators MUST also provide** some form of attestation. The basic requirement is that the authenticator can produce, for each credential public key, **an attestation statement verifiable by the Relying Party**. Typically, this attestation statement contains a signature by an attestation private key over the attested credential public key and a challenge, as well as a certificate or similar data providing provenance information for the attestation public key, enabling the Relying Party to make a trust decision. **However, if an attestation key pair is not available, then the authenticator MUST perform self attestation of the credential public key with the corresponding credential private key.** All this information is returned by authenticators any time a new public key credential is generated, in the overall form of an attestation object. The relationship of the attestation object with authenticator data (containing attested credential data) and the attestation statement is illustrated in figure 3, below. Is this still accurate now that we have the [None][none] attestation type and -format? Should this not instead be something like the following (changes emphasized)? >Authenticators **MAY** also provide some form of attestation. **If an authenticator does**, the basic requirement is that the authenticator can produce, for each credential public key, an attestation statement verifiable by the Relying Party. Typically, this attestation statement contains a signature by an attestation private key over the attested credential public key and a challenge, as well as a certificate or similar data providing provenance information for the attestation public key, enabling the Relying Party to make a trust decision. However, if an attestation key pair is not available, then the authenticator **MAY either** perform self attestation of the credential public key with the corresponding credential private key, **or otherwise perform no attestation**. All this information is returned by authenticators any time a new public key credential is generated, in the overall form of an attestation object. The relationship of the attestation object with authenticator data (containing attested credential data) and the attestation statement is illustrated in figure 3, below. > >**If an authenticator employs self attestation or no attestation, then no provenance information is provided for the Relying Party to base a trust decision on. In these cases, the authenticator provides no guarantees about its operation to the Relying Party.** (The last paragraph could possibly be a Note:) I'm not sure if this would be breaking or not. I'd say it's not important enough that it would be worth delaying the process for it, but it would be a shame if it is indeed inconsistent with the rest of the spec and we end up having to publish it. [att]: https://w3c.github.io/webauthn/#sctn-attestation [none]: https://w3c.github.io/webauthn/#none Please view or discuss this issue at https://github.com/w3c/webauthn/issues/978 using your GitHub account
Received on Monday, 2 July 2018 16:06:39 UTC