W3C home > Mailing lists > Public > public-webauthn@w3.org > March 2021

Re: [webauthn] Explicitly restrict NONE aaguid to none attestation only (#1588)

From: Emil Lundberg via GitHub <sysbot+gh@w3.org>
Date: Thu, 25 Mar 2021 14:11:05 +0000
To: public-webauthn@w3.org
Message-ID: <issue_comment.created-806824406-1616681464-sysbot+gh@w3.org>
Right, I thought I remembered something about the [`fido-u2f` attestation statement format](https://www.w3.org/TR/2021/PR-webauthn-2-20210225/#sctn-fido-u2f-attestation) also using zero AAGUID but couldn't find it in the spec. We should probably elaborate in the signing procedure that this particular format usually involves the client rearranging the raw U2F response into the WebAuthn attestation object format. A U2F authenticator doesn't return a zero AAGUID, rather the client inserts that as part of constructing the _attested credential data_ structure.

GitHub Notification of comment by emlun
Please view or discuss this issue at https://github.com/w3c/webauthn/pull/1588#issuecomment-806824406 using your GitHub account

Sent via github-notify-ml as configured in https://github.com/w3c/github-notify-ml-config
Received on Thursday, 25 March 2021 14:11:10 UTC

This archive was generated by hypermail 2.4.0 : Tuesday, 5 July 2022 07:26:43 UTC