Re: [webauthn] Handling unwanted or unsupported attestation formats (#1485) from Emil Lundberg via GitHub on 2020-09-17 (public-webauthn@w3.org from September 2020)

From: Emil Lundberg via GitHub <sysbot+gh@w3.org>
Date: Thu, 17 Sep 2020 19:01:08 +0000
To: public-webauthn@w3.org
Message-ID: <issue_comment.created-694436116-1600369266-sysbot+gh@w3.org>

In case it helps, [Yubico's Java library](https://github.com/Yubico/java-webauthn-server) will always verify the attestation signature if present, and fail if the signature is invalid. However, by default it accepts any valid attestation, including `"none"`, but signals in the result that the attestation is valid but not trusted. If the user configures the library with a trust store _and_ enables the "require trusted attestation" setting, only then will the library reject any attestation that cannot be linked to some root certificate in the trust store.

-- 
GitHub Notification of comment by emlun
Please view or discuss this issue at https://github.com/w3c/webauthn/issues/1485#issuecomment-694436116 using your GitHub account


-- 
Sent via github-notify-ml as configured in https://github.com/w3c/github-notify-ml-config

Received on Thursday, 17 September 2020 19:01:13 UTC