Re: [webauthn] Explicitly restrict NONE aaguid to none attestation only (#1588)

There's also this in [step 20 of §5.1.3. Create a New Credential](

>If `credentialCreationData.attestationConveyancePreferenceOption`’s value is
>- **"none"**
>  Replace potentially uniquely identifying information with non-identifying versions of the same:
>   1. If the AAGUID in the attested credential data is 16 zero bytes, `credentialCreationData.attestationObjectResult.fmt` is "packed", and "x5c" is absent from `credentialCreationData.attestationObjectResult`, then self attestation is being used and no further action is needed.
>  [...]

So it looks like at least in theory, the zero AAGUID is also valid for "packed" self attestation, but I don't know if any authenticators are actually producing such attestation statements. Either way, there's no corresponding instruction about the AAGUID in the ["packed" attestation signing procedure](

>3. If self attestation is in use, the authenticator produces _sig_ by concatenating _authenticatorData_ and _clientDataHash_, and signing the result using the credential private key. It sets _alg_ to the algorithm of the credential private key and omits the other fields.

GitHub Notification of comment by emlun
Please view or discuss this issue at using your GitHub account

Sent via github-notify-ml as configured in

Received on Thursday, 25 March 2021 11:09:48 UTC