- From: David Waite via GitHub <sysbot+gh@w3.org>
- Date: Thu, 28 Oct 2021 16:58:36 +0000
- To: public-webauthn@w3.org
The implied purpose of an attestation is to identify a category of authenticators, which would map to an understanding (possibly managed a third party) of the authenticator's operational policy and security posture. This might correspond to an underlying platform or hardware make and model. The trust that the authenticator holds the credential private key associated with the credential public key in a certain way (e.g. locally-generated and non-exportable) is a trust in the attestation. If you have a self-asserted attestation (or no attestation) you are trusting the user to leverage an authenticator that meets their own security needs. This is expected to be the default approach for many if not most relying parties, as it is drastically simpler to implement for the relying party and provides the most choice to the user to leverage their chosen authenticator. -- GitHub Notification of comment by dwaite Please view or discuss this issue at https://github.com/w3c/webauthn/issues/1679#issuecomment-954030252 using your GitHub account -- Sent via github-notify-ml as configured in https://github.com/w3c/github-notify-ml-config
Received on Thursday, 28 October 2021 16:58:38 UTC