Re: [webauthn] Explicitly restrict NONE aaguid to none attestation only (#1588) from Ki-Eun Shin via GitHub on 2021-03-25 (public-webauthn@w3.org from March 2021)

From: Ki-Eun Shin via GitHub <sysbot+gh@w3.org>
Date: Thu, 25 Mar 2021 13:30:55 +0000
To: public-webauthn@w3.org
Message-ID: <issue_comment.created-806747025-1616679054-sysbot+gh@w3.org>

As far as I remember, U2F authenticators have zero AAGUID within the authenticator data structure. So, basic attestation or self attestation with U2F authenticators is allowed to have zero AAGUID.  

@herrjemand 
> and in case of SELF attestation, in none attestation scenario, AAGUID will be returned, because it can not be used for correlation.

If the attestation conveyance is set to "none" and the authenticator is a type of self (surrogate) authenticators, the client also needs to stripped off all the identifiable data (AAGUID and attestationObject). If not, the RP may correlate users with this AAGUID if it is non-zero.

So my thinking is that the zero AAGUID is only allowed to **None** attestation format except **FIDO U2F** format.

-- 
GitHub Notification of comment by Kieun
Please view or discuss this issue at https://github.com/w3c/webauthn/pull/1588#issuecomment-806747025 using your GitHub account


-- 
Sent via github-notify-ml as configured in https://github.com/w3c/github-notify-ml-config

Received on Thursday, 25 March 2021 13:30:57 UTC