Re: [webauthn] Explicitly restrict NONE aaguid to none attestation only (#1588)

As far as I remember, U2F authenticators have zero AAGUID within the authenticator data structure. So, basic attestation or self attestation with U2F authenticators is allowed to have zero AAGUID.  

> and in case of SELF attestation, in none attestation scenario, AAGUID will be returned, because it can not be used for correlation.

If the attestation conveyance is set to "none" and the authenticator is a type of self (surrogate) authenticators, the client also needs to stripped off all the identifiable data (AAGUID and attestationObject). If not, the RP may correlate users with this AAGUID if it is non-zero.

So my thinking is that the zero AAGUID is only allowed to **None** attestation format except **FIDO U2F** format.

GitHub Notification of comment by Kieun
Please view or discuss this issue at using your GitHub account

Sent via github-notify-ml as configured in

Received on Thursday, 25 March 2021 13:30:57 UTC