- From: Ki-Eun Shin via GitHub <sysbot+gh@w3.org>
- Date: Thu, 25 Mar 2021 13:30:55 +0000
- To: public-webauthn@w3.org
As far as I remember, U2F authenticators have zero AAGUID within the authenticator data structure. So, basic attestation or self attestation with U2F authenticators is allowed to have zero AAGUID. @herrjemand > and in case of SELF attestation, in none attestation scenario, AAGUID will be returned, because it can not be used for correlation. If the attestation conveyance is set to "none" and the authenticator is a type of self (surrogate) authenticators, the client also needs to stripped off all the identifiable data (AAGUID and attestationObject). If not, the RP may correlate users with this AAGUID if it is non-zero. So my thinking is that the zero AAGUID is only allowed to **None** attestation format except **FIDO U2F** format. -- GitHub Notification of comment by Kieun Please view or discuss this issue at https://github.com/w3c/webauthn/pull/1588#issuecomment-806747025 using your GitHub account -- Sent via github-notify-ml as configured in https://github.com/w3c/github-notify-ml-config
Received on Thursday, 25 March 2021 13:30:57 UTC