W3C home > Mailing lists > Public > public-webauthn@w3.org > March 2021

Re: [webauthn] Explicitly restrict NONE aaguid to none attestation only (#1588)

From: Ki-Eun Shin via GitHub <sysbot+gh@w3.org>
Date: Thu, 25 Mar 2021 13:30:55 +0000
To: public-webauthn@w3.org
Message-ID: <issue_comment.created-806747025-1616679054-sysbot+gh@w3.org>
As far as I remember, U2F authenticators have zero AAGUID within the authenticator data structure. So, basic attestation or self attestation with U2F authenticators is allowed to have zero AAGUID.  

@herrjemand 
> and in case of SELF attestation, in none attestation scenario, AAGUID will be returned, because it can not be used for correlation.

If the attestation conveyance is set to "none" and the authenticator is a type of self (surrogate) authenticators, the client also needs to stripped off all the identifiable data (AAGUID and attestationObject). If not, the RP may correlate users with this AAGUID if it is non-zero.

So my thinking is that the zero AAGUID is only allowed to **None** attestation format except **FIDO U2F** format.

-- 
GitHub Notification of comment by Kieun
Please view or discuss this issue at https://github.com/w3c/webauthn/pull/1588#issuecomment-806747025 using your GitHub account


-- 
Sent via github-notify-ml as configured in https://github.com/w3c/github-notify-ml-config
Received on Thursday, 25 March 2021 13:30:57 UTC

This archive was generated by hypermail 2.4.0 : Tuesday, 5 July 2022 07:26:43 UTC