Re: [webauthn] Explicitly restrict NONE aaguid to none attestation only (#1588) from Emil Lundberg via GitHub on 2021-03-25 (public-webauthn@w3.org from March 2021)

From: Emil Lundberg via GitHub <sysbot+gh@w3.org>
Date: Thu, 25 Mar 2021 14:11:05 +0000
To: public-webauthn@w3.org
Message-ID: <issue_comment.created-806824406-1616681464-sysbot+gh@w3.org>

Right, I thought I remembered something about the [`fido-u2f` attestation statement format](https://www.w3.org/TR/2021/PR-webauthn-2-20210225/#sctn-fido-u2f-attestation) also using zero AAGUID but couldn't find it in the spec. We should probably elaborate in the signing procedure that this particular format usually involves the client rearranging the raw U2F response into the WebAuthn attestation object format. A U2F authenticator doesn't return a zero AAGUID, rather the client inserts that as part of constructing the _attested credential data_ structure.

-- 
GitHub Notification of comment by emlun
Please view or discuss this issue at https://github.com/w3c/webauthn/pull/1588#issuecomment-806824406 using your GitHub account


-- 
Sent via github-notify-ml as configured in https://github.com/w3c/github-notify-ml-config

Received on Thursday, 25 March 2021 14:11:10 UTC