W3C home > Mailing lists > Public > public-webauthn@w3.org > September 2020

[webauthn] Handling unwanted or unsupported attestation formats (#1485)

From: Thomas via GitHub <sysbot+gh@w3.org>
Date: Wed, 16 Sep 2020 14:50:33 +0000
To: public-webauthn@w3.org
Message-ID: <issues.opened-702832765-1600267832-sysbot+gh@w3.org>
madwizard-thomas has just created a new issue for https://github.com/w3c/webauthn:

== Handling unwanted or unsupported attestation formats ==
It is not quite clear to me how a Relying Party should handle an attestation format it did not expect or requested.

The `attestation` field in `PublicKeyCredentialCreationOptions` can be used to specify whether or not attestation information is desired. Even though the Create method in $5.1.3  specifies that "none" should be handled by returning a None attestation statement, the enum `AttestationConveyancePreference` seems to hint that this value is more of a preference than a hard requirement. So would it be possible for a client to return a real attestation statement anyway?
Firefox on Windows 10 (unlike Chrome or Edge) seems to always include attestation statements even if the `attestation` field is set to `none`.
`$7.1 Registering a new credential` specifies to validate the statement as provided in the response (step 18/19) but makes no mention of whether attestation was requested or what the `attestation` field was set to.

Another issue is that the attestation statement format list in the spec is not exhaustive, new statement formats may arise in the future. A current example is Apple's new attestation format. RP's likely will not have implemented the new format yet, in this case Apple has not even registered the format yet even though iOS 14 will be released today.

`$7.1 Registering a new credential` does not mention what should be done in case the statement format is not supported by the RP. This could be treated as a fatal error but if the attestation can be sent without asking this would fail the ceremony unnecessarily. Also in a situation where 'best effort' attestation is applicable (allow optional attestation to determine security levels or for use in a risk engine) the RP may come across unknown formats but still want to use the credential.

So to summarize:

1. When `attestation` is set to `"none"`, is it allowed to return an attestation format other than None?
2. If 1 is allowed, how should RP's handle this situation? Should they validate the attestation statement or ignore it / treat it as None?
3. How should RP deal with unsupported statement formats? Is this RP policy, a fatal error, treat it as None?

Please view or discuss this issue at https://github.com/w3c/webauthn/issues/1485 using your GitHub account

Sent via github-notify-ml as configured in https://github.com/w3c/github-notify-ml-config
Received on Wednesday, 16 September 2020 14:50:35 UTC

This archive was generated by hypermail 2.4.0 : Tuesday, 5 July 2022 07:26:41 UTC