W3C home > Mailing lists > Public > public-webauthn@w3.org > September 2020

Re: [webauthn] Handling unwanted or unsupported attestation formats (#1485)

From: Emil Lundberg via GitHub <sysbot+gh@w3.org>
Date: Thu, 17 Sep 2020 19:01:08 +0000
To: public-webauthn@w3.org
Message-ID: <issue_comment.created-694436116-1600369266-sysbot+gh@w3.org>
In case it helps, [Yubico's Java library](https://github.com/Yubico/java-webauthn-server) will always verify the attestation signature if present, and fail if the signature is invalid. However, by default it accepts any valid attestation, including `"none"`, but signals in the result that the attestation is valid but not trusted. If the user configures the library with a trust store _and_ enables the "require trusted attestation" setting, only then will the library reject any attestation that cannot be linked to some root certificate in the trust store.

GitHub Notification of comment by emlun
Please view or discuss this issue at https://github.com/w3c/webauthn/issues/1485#issuecomment-694436116 using your GitHub account

Sent via github-notify-ml as configured in https://github.com/w3c/github-notify-ml-config
Received on Thursday, 17 September 2020 19:01:13 UTC

This archive was generated by hypermail 2.4.0 : Tuesday, 5 July 2022 07:26:41 UTC