Re: [webauthn] Explicitly restrict NONE aaguid to none attestation only (#1588)

Ah, it turns out I'd left a note for myself! I found where the part of the FIDO spec that defines "all-zero AAGUID" for U2F devices wishing to use the CTAP2 `authenticatorMakeCredential` Command:

![Screen Shot 2021-03-25 at 9 44 15 AM](

The reason this tidbit of knowledge ever became known to me was because I bothered with FIDO Conformance Testing - it specifically requires you to check that AAGUID is all zeroes for FIDO-U2F attestations. If it weren't for that I never would have known to enforce that based on the WebAuthn spec alone.

GitHub Notification of comment by MasterKale
Please view or discuss this issue at using your GitHub account

Sent via github-notify-ml as configured in

Received on Thursday, 25 March 2021 16:47:36 UTC