- From: Emil Lundberg via GitHub <sysbot+gh@w3.org>
- Date: Thu, 31 Mar 2022 15:36:17 +0000
- To: public-webauthn@w3.org
> Sorry, to clarify – are you suggesting attestation as a way of opting out of syncing, or attestation and subsequently (upon learning that it's a syncing implementation) not using a given authenticator at all? Sorry, I mean that RPs can "opt out" of credential syncing by requiring attestation and rejecting any authenticator not known to not sync (sorry for the multiple negations, they are significant). It doesn't allow for simply disabling a sync feature, though (thus "_most_ of the same powers"). It's a roundabout way, but it's the only way - even with the authenticator data flags - if you need to strictly forbid syncing. You still need a valid attestation from an authenticator you trust, because otherwise the authenticator can just lie about the flags. Deny-lists (where you accept anything not explicitly on the list, even if unknown) don't work for enforcing a strict attestation policy, only allow-lists do. > As far as I understand, the former is only a temporary side effect of attestation that will likely go away once the "backup indicator" is specified and implemented, right? Yes, there's nothing that intrinsically prevents syncing authenticators from implementing attestation. For example the "apple" attestation statement format was added specifically to support Apple's platform authenticators, which have now announced plans to introduce syncing. And yes, it's also true that an authenticator that currently supports attestation but not syncing could add a sync feature later. It would be up to that authenticator vendor and any relevant certification authorities to decide if that change needs to be reflected by a change in AAGUID, attestation certificate or the like. -- GitHub Notification of comment by emlun Please view or discuss this issue at https://github.com/w3c/webauthn/issues/1714#issuecomment-1084756719 using your GitHub account -- Sent via github-notify-ml as configured in https://github.com/w3c/github-notify-ml-config
Received on Thursday, 31 March 2022 15:36:19 UTC