- From: Firstyear via GitHub <sysbot+gh@w3.org>
- Date: Tue, 22 Mar 2022 22:55:57 +0000
- To: public-webauthn@w3.org
> In general no one really even needs attestation. This is mostly enterprise feature. You can read this article to learn more: https://medium.com/webauthnworks/webauthn-fido2-demystifying-attestation-and-mds-efc3b3cb3651 > > > The problem though is almost nothing about an authenticator can be trusted outside of "It gave me a signature" without attestation though. (The standard also does not explicitly say this either .... ) > Webauthn, same as every standard, grows to satisfy industry needs. Same as every other standard in requires some pre-requisite knowledge. But this is a legitimate frustration (swearing aside). Webauthn as a spec exists to communicate to an audience how to implement a set of routines. If it's failing to communicate clearly to the target market, then as a standard group we are failing in our mission. And even worse, failing to communicate will (and has) led to incorrect and insecure implementations (to date, I've seen insecure nonce in RP's, UV bypass, invalid attestations from a mobile device manufacturer, and probably more.) I implemented webauthn for rust and *I* find the standard dense and hard to parse. I can empathise that anyone outside would have a really difficult time. There are some huge barriers in this document that should be addressed. -- GitHub Notification of comment by Firstyear Please view or discuss this issue at https://github.com/w3c/webauthn/issues/1709#issuecomment-1075730445 using your GitHub account -- Sent via github-notify-ml as configured in https://github.com/w3c/github-notify-ml-config
Received on Tuesday, 22 March 2022 22:55:58 UTC