Re: [webauthn] Must assertions with attestation include attested credential data? (#1792) from Emil Lundberg via GitHub on 2022-09-01 (public-webauthn@w3.org from September 2022)

From: Emil Lundberg via GitHub <sysbot+gh@w3.org>
Date: Thu, 01 Sep 2022 14:30:03 +0000
To: public-webauthn@w3.org
Message-ID: <issue_comment.created-1234363197-1662042598-sysbot+gh@w3.org>

...ah, I see now that this is made unambiguous further down, in the [RP assertion verification procedure](https://pr-preview.s3.amazonaws.com/w3c/webauthn/pull/1663.html#sctn-verifying-assertion):

>22. 1. Verify that the AT bit in the [flags](https://pr-preview.s3.amazonaws.com/w3c/webauthn/pull/1663.html#flags) field of authData is set, indicating that [attested credential data](https://pr-preview.s3.amazonaws.com/w3c/webauthn/pull/1663.html#attested-credential-data) is included.

Still, I think it should be explicit in the authenticator operations as well. And now we have this issue as documentation of what exactly goes wrong if authenticators implement this incorrectly.

-- 
GitHub Notification of comment by emlun
Please view or discuss this issue at https://github.com/w3c/webauthn/issues/1792#issuecomment-1234363197 using your GitHub account


-- 
Sent via github-notify-ml as configured in https://github.com/w3c/github-notify-ml-config

Received on Thursday, 1 September 2022 14:30:08 UTC