W3C home > Mailing lists > Public > public-webauthn@w3.org > March 2021

Re: [webauthn] Explicitly restrict NONE aaguid to none attestation only (#1588)

From: Matthew Miller via GitHub <sysbot+gh@w3.org>
Date: Thu, 25 Mar 2021 14:34:01 +0000
To: public-webauthn@w3.org
Message-ID: <issue_comment.created-806860968-1616682840-sysbot+gh@w3.org>
> A U2F authenticator doesn't return a zero AAGUID, rather the client inserts that as part of constructing the attested credential data structure.

I'm glad you mention this because I was reimplementing FIDO-U2F verification a couple of weeks back and couldn't figure out _why_ a zero AAGUID check was in the list of steps. I did some searching around and could only find some off-handed comment that led me to believe it was something FIDO-related but that was it. I'd support including something like this bit in those verification steps for some additional context to help make some more sense of it.

GitHub Notification of comment by MasterKale
Please view or discuss this issue at https://github.com/w3c/webauthn/pull/1588#issuecomment-806860968 using your GitHub account

Sent via github-notify-ml as configured in https://github.com/w3c/github-notify-ml-config
Received on Thursday, 25 March 2021 14:34:03 UTC

This archive was generated by hypermail 2.4.0 : Tuesday, 5 July 2022 07:26:43 UTC