Re: [webauthn] Add Yubico's proposed recovery extension (#1425)

>I don't believe that we would want to transmit AAGUIDs in a non-enterprise context.

I suggested in yesterday's WG call that we could include a parameter `AttestationConveyancePreference attestation` in the extension input, and for example have the authenticator emit the AAGUID only if that is set to `direct`; @agl seemed to agree with this idea. For the record: unlike regular registration responses, where the the authenticator data isn't signed if `none` attestation is used, the response here is an assertion response, so the client cannot modify the authenticator data after the fact.

Another option that was brought up was to put the AAGUID in the `CollectedClientData` instead, so the client has control of it. In that case we would need to remove the AAGUID from the authenticator data.

Since the all-zero AAGUID is already defined as a special value, I prefer adding the `attestation` parameter and having the authenticator set the AAGUID to zero if `attestation` is not set to `direct`. This way, the client controls what `attestation` argument is sent to the authenticator, and we can still reuse the `AttestedCredentialData` structure (although the name becomes a misnomer in this case) with the same semantics as usual, which reduces implementation complexity for RPs.

-- 
GitHub Notification of comment by emlun
Please view or discuss this issue at https://github.com/w3c/webauthn/pull/1425#issuecomment-638792279 using your GitHub account

Received on Thursday, 4 June 2020 11:32:55 UTC