W3C home > Mailing lists > Public > public-webauthn@w3.org > September 2020

Re: [webauthn] Handling unwanted or unsupported attestation formats (#1485)

From: Emil Lundberg via GitHub <sysbot+gh@w3.org>
Date: Wed, 16 Sep 2020 19:24:59 +0000
To: public-webauthn@w3.org
Message-ID: <issue_comment.created-693613306-1600284298-sysbot+gh@w3.org>
1. Authenticators will, in general, always return an attestation statement if they are capable, but the browser can filter it depending on the `attestation` argument. Technically, I think the browser must respect the `attestation` argument to be compliant, but the response is still well-formed if it doesn't. So this is the classic dilemma between rejecting any deviation from the spec in the interest of compliance, versus tolerating some discrepancies in the interest of compatibility. I don't think there is a best answer to that one.
2. There is no security difference between receiving a `"none"` attestation, vs. receiving and ignoring a full attestation.
3. If the RP requires a trusted attestation (most likely for financial/government institutions subject to legal regulations, or for enterprises' internal systems that know what authenticators they want to allow), then by definition it has to reject any attestation format it doesn't support. If the RP does not require attestation, it can just ignore it or maybe save it for later.

-- 
GitHub Notification of comment by emlun
Please view or discuss this issue at https://github.com/w3c/webauthn/issues/1485#issuecomment-693613306 using your GitHub account


-- 
Sent via github-notify-ml as configured in https://github.com/w3c/github-notify-ml-config
Received on Wednesday, 16 September 2020 19:25:00 UTC

This archive was generated by hypermail 2.4.0 : Wednesday, 16 September 2020 19:25:01 UTC