Re: [webauthn] Handling unwanted or unsupported attestation formats (#1485)

1. Authenticators will, in general, always return an attestation statement if they are capable, but the browser can filter it depending on the `attestation` argument. Technically, I think the browser must respect the `attestation` argument to be compliant, but the response is still well-formed if it doesn't. So this is the classic dilemma between rejecting any deviation from the spec in the interest of compliance, versus tolerating some discrepancies in the interest of compatibility. I don't think there is a best answer to that one.
2. There is no security difference between receiving a `"none"` attestation, vs. receiving and ignoring a full attestation.
3. If the RP requires a trusted attestation (most likely for financial/government institutions subject to legal regulations, or for enterprises' internal systems that know what authenticators they want to allow), then by definition it has to reject any attestation format it doesn't support. If the RP does not require attestation, it can just ignore it or maybe save it for later.

-- 
GitHub Notification of comment by emlun
Please view or discuss this issue at https://github.com/w3c/webauthn/issues/1485#issuecomment-693613306 using your GitHub account


-- 
Sent via github-notify-ml as configured in https://github.com/w3c/github-notify-ml-config

Received on Wednesday, 16 September 2020 19:25:00 UTC