W3C home > Mailing lists > Public > public-webauthn@w3.org > March 2021

Re: [webauthn] Explicitly restrict NONE aaguid to none attestation only (#1588)

From: Matthew Miller via GitHub <sysbot+gh@w3.org>
Date: Thu, 25 Mar 2021 14:34:01 +0000
To: public-webauthn@w3.org
Message-ID: <issue_comment.created-806860968-1616682840-sysbot+gh@w3.org>
> A U2F authenticator doesn't return a zero AAGUID, rather the client inserts that as part of constructing the attested credential data structure.

I'm glad you mention this because I was reimplementing FIDO-U2F verification a couple of weeks back and couldn't figure out _why_ a zero AAGUID check was in the list of steps. I did some searching around and could only find some off-handed comment that led me to believe it was something FIDO-related but that was it. I'd support including something like this bit in those verification steps for some additional context to help make some more sense of it.

-- 
GitHub Notification of comment by MasterKale
Please view or discuss this issue at https://github.com/w3c/webauthn/pull/1588#issuecomment-806860968 using your GitHub account


-- 
Sent via github-notify-ml as configured in https://github.com/w3c/github-notify-ml-config
Received on Thursday, 25 March 2021 14:34:03 UTC

This archive was generated by hypermail 2.4.0 : Tuesday, 5 July 2022 07:26:43 UTC