- From: Arshad Noor via GitHub <sysbot+gh@w3.org>
- Date: Thu, 29 Jul 2021 00:16:59 +0000
- To: public-webauthn@w3.org
(Sorry for the delayed response @agl - just catching up to this thread). Thanks for link. So, it seems clear what the Authenticator must do. But, is there anything a FIDO Server must do with the results sent by the Authenticator? For example, AttestationConveyancePreference for [enterprise](https://www.w3.org/TR/webauthn-2/#enum-attestation-convey) says: > This value indicates that the Relying Party wants to receive an attestation statement that may include uniquely identifying information. and > "... and convey the resulting AAGUID and attestation statement, unaltered, to the Relying Party. Is the AAGUID expected to be the "uniquely identifying information"? If so, is there an expectation that the FIDO Server must match the AAGUID against a predetermined list? While business applications can choose to program anything they want to address business needs, I would expect FIDO Server responsibilities for enterprise attestation would be abstracted and defined in https://www.w3.org/TR/webauthn-2/#sctn-registering-a-new-credential - but I don't see anything different mentioned for "enterprise" attestations. Additionally, is the attestation statement for enterprise attestations expected to be different from the [ones defined](https://www.w3.org/TR/webauthn-2/#sctn-defined-attestation-formats) in the spec? -- GitHub Notification of comment by arshadnoor Please view or discuss this issue at https://github.com/w3c/webauthn/issues/1652#issuecomment-888703514 using your GitHub account -- Sent via github-notify-ml as configured in https://github.com/w3c/github-notify-ml-config
Received on Thursday, 29 July 2021 00:17:01 UTC