- From: Emil Lundberg via GitHub <sysbot+gh@w3.org>
- Date: Thu, 25 Mar 2021 11:09:46 +0000
- To: public-webauthn@w3.org
There's also this in [step 20 of §5.1.3. Create a New Credential](https://w3c.github.io/webauthn/#ref-for-aaguid%E2%91%A0): >If `credentialCreationData.attestationConveyancePreferenceOption`’s value is >- **"none"** > Replace potentially uniquely identifying information with non-identifying versions of the same: > 1. If the AAGUID in the attested credential data is 16 zero bytes, `credentialCreationData.attestationObjectResult.fmt` is "packed", and "x5c" is absent from `credentialCreationData.attestationObjectResult`, then self attestation is being used and no further action is needed. > > [...] So it looks like at least in theory, the zero AAGUID is also valid for "packed" self attestation, but I don't know if any authenticators are actually producing such attestation statements. Either way, there's no corresponding instruction about the AAGUID in the ["packed" attestation signing procedure](https://w3c.github.io/webauthn/#ref-for-self-attestation%E2%91%A0%E2%91%A4): >3. If self attestation is in use, the authenticator produces _sig_ by concatenating _authenticatorData_ and _clientDataHash_, and signing the result using the credential private key. It sets _alg_ to the algorithm of the credential private key and omits the other fields. -- GitHub Notification of comment by emlun Please view or discuss this issue at https://github.com/w3c/webauthn/pull/1588#issuecomment-806563831 using your GitHub account -- Sent via github-notify-ml as configured in https://github.com/w3c/github-notify-ml-config
Received on Thursday, 25 March 2021 11:09:48 UTC