Re: [webauthn] Explicitly restrict NONE aaguid to none attestation only (#1588) from Matthew Miller via GitHub on 2021-03-25 (public-webauthn@w3.org from March 2021)

From: Matthew Miller via GitHub <sysbot+gh@w3.org>
Date: Thu, 25 Mar 2021 16:46:19 +0000
To: public-webauthn@w3.org
Message-ID: <issue_comment.created-807077811-1616690778-sysbot+gh@w3.org>

Ah, it turns out I'd left a note for myself! I found where the part of the FIDO spec that defines "all-zero AAGUID" for U2F devices wishing to use the CTAP2 `authenticatorMakeCredential` Command:

https://fidoalliance.org/specs/fido-v2.1-rd-20191217/fido-client-to-authenticator-protocol-v2.1-rd-20191217.html#u2f-authenticatorMakeCredential-interoperability

![Screen Shot 2021-03-25 at 9 44 15 AM](https://user-images.githubusercontent.com/5166470/112510561-c52da300-8d4e-11eb-9207-b24c60637eb8.png)

The reason this tidbit of knowledge ever became known to me was because I bothered with FIDO Conformance Testing - it specifically requires you to check that AAGUID is all zeroes for FIDO-U2F attestations. If it weren't for that I never would have known to enforce that based on the WebAuthn spec alone.

-- 
GitHub Notification of comment by MasterKale
Please view or discuss this issue at https://github.com/w3c/webauthn/pull/1588#issuecomment-807077811 using your GitHub account


-- 
Sent via github-notify-ml as configured in https://github.com/w3c/github-notify-ml-config

Received on Thursday, 25 March 2021 16:47:36 UTC