W3C home > Mailing lists > Public > public-webauthn@w3.org > March 2018

Re: [webauthn] Add RP conformance section on ignoring attestation

From: =JeffH via GitHub <sysbot+gh@w3.org>
Date: Fri, 09 Mar 2018 23:50:41 +0000
To: public-webauthn@w3.org
Message-ID: <issue_comment.created-371978052-1520639440-sysbot+gh@w3.org>
Thanks for writing this up @emlun. This appears to be useful info that we do not already address. Though, it seems to me to be more security considerations material than conformance. 

In looking through it I notice that we probably ought to explicitly address the case of "none" attestation in the [Registering a new credential](https://www.w3.org/TR/2018/WD-webauthn-20180306/#registering-a-new-credential) RP ops subsection, at least in step 14 (since the "none" attStmt format is the only one without a sig to verify).

There's various polishing and terminological fixes I'd offer but will wait on doing so since I'm betting we'll address this issue & PR for PR-milestone and we're presently still trying to attain  CR.  thanks again. 

-- 
GitHub Notification of comment by equalsJeffH
Please view or discuss this issue at https://github.com/w3c/webauthn/pull/829#issuecomment-371978052 using your GitHub account
Received on Friday, 9 March 2018 23:50:44 UTC

This archive was generated by hypermail 2.4.0 : Tuesday, 5 July 2022 07:26:31 UTC