W3C home > Mailing lists > Public > public-webauthn@w3.org > March 2021

Re: [webauthn] Explicitly restrict NONE aaguid to none attestation only (#1588)

From: Emil Lundberg via GitHub <sysbot+gh@w3.org>
Date: Thu, 25 Mar 2021 11:09:46 +0000
To: public-webauthn@w3.org
Message-ID: <issue_comment.created-806563831-1616670585-sysbot+gh@w3.org>
There's also this in [step 20 of §5.1.3. Create a New Credential](https://w3c.github.io/webauthn/#ref-for-aaguid%E2%91%A0):

>If `credentialCreationData.attestationConveyancePreferenceOption`’s value is
>- **"none"**
>  Replace potentially uniquely identifying information with non-identifying versions of the same:
>   1. If the AAGUID in the attested credential data is 16 zero bytes, `credentialCreationData.attestationObjectResult.fmt` is "packed", and "x5c" is absent from `credentialCreationData.attestationObjectResult`, then self attestation is being used and no further action is needed.
>  [...]

So it looks like at least in theory, the zero AAGUID is also valid for "packed" self attestation, but I don't know if any authenticators are actually producing such attestation statements. Either way, there's no corresponding instruction about the AAGUID in the ["packed" attestation signing procedure](https://w3c.github.io/webauthn/#ref-for-self-attestation%E2%91%A0%E2%91%A4):

>3. If self attestation is in use, the authenticator produces _sig_ by concatenating _authenticatorData_ and _clientDataHash_, and signing the result using the credential private key. It sets _alg_ to the algorithm of the credential private key and omits the other fields.

GitHub Notification of comment by emlun
Please view or discuss this issue at https://github.com/w3c/webauthn/pull/1588#issuecomment-806563831 using your GitHub account

Sent via github-notify-ml as configured in https://github.com/w3c/github-notify-ml-config
Received on Thursday, 25 March 2021 11:09:48 UTC

This archive was generated by hypermail 2.4.0 : Tuesday, 5 July 2022 07:26:43 UTC