- From: Arnaud Dagnelies via GitHub <sysbot+gh@w3.org>
- Date: Tue, 29 Mar 2022 11:46:43 +0000
- To: public-webauthn@w3.org
> > In general no one really even needs attestation. This is mostly enterprise feature. You can read this article to learn more: https://medium.com/webauthnworks/webauthn-fido2-demystifying-attestation-and-mds-efc3b3cb3651 > > > > > The problem though is almost nothing about an authenticator can be trusted outside of "It gave me a signature" without attestation though. (The standard also does not explicitly say this either .... ) > Indeed attestation and its many nuances is probably the most complex part of the spec, and as @herrjemand also points out it's messy because the outside world is messy. But indeed most RPs won't actually need the guarantees that attestation can provide, so they don't really need to implement all that complexity. As far as I understand, when registering credentials, the signature is concealed somewhere deep in this authenticator-specific attStmt object. So, without attestation means without signature and the client can freely tamper with all the data anyway (very easely). In the end, in the absence of signature, you can simply send the public key over since none of the data can be trusted anyway. Or did I miss something? -- GitHub Notification of comment by dagnelies Please view or discuss this issue at https://github.com/w3c/webauthn/issues/1709#issuecomment-1081770564 using your GitHub account -- Sent via github-notify-ml as configured in https://github.com/w3c/github-notify-ml-config
Received on Tuesday, 29 March 2022 11:46:45 UTC