Re: [webauthn] Enterprise Attestation Conveyance Preference (#1652)

> But, is there anything a FIDO Server must do with the results sent by the Authenticator?

The enterprise attestation conveyance is for the case where an RP also controls the authenticators. E.g. a corporate environment where employees are issued authenticators for signing in. While the AAGUID is very unlikely to be uniquely identifying, the attestation statement itself is allowed to be—which is unique to the enterprise case.

Since this designed for bespoke environments it's difficult to give rules about what they might do. Probably the attestation statement would be in a standard format, but the RP may wish to verify it against custom trust roots. They may wish to parse out bespoke parts of the attestation and check that the authenticator was issued to the account that is trying to register it etc.

-- 
GitHub Notification of comment by agl
Please view or discuss this issue at https://github.com/w3c/webauthn/issues/1652#issuecomment-889190278 using your GitHub account


-- 
Sent via github-notify-ml as configured in https://github.com/w3c/github-notify-ml-config

Received on Thursday, 29 July 2021 14:24:55 UTC