- From: Matthew Miller via GitHub <sysbot+gh@w3.org>
- Date: Wed, 14 Jun 2023 06:23:46 +0000
- To: public-webauthn@w3.org
> If authenticators returned an AAGUID with the credential during registration, even without attestation, wouldn't that also address this same use case? I believe that's what some RP's (including Google) have been asking for. Unattested AAGUID came up at the F2F as an acceptable way to solve this problem too, but at the time I don't think many of us thought AAGUIDs without attestation would catch on... I agree that if we could get authenticator vendors to buy into the idea of returning a valid AAGUID under more circumstances (i.e. no attestation) it would solve this problem and a couple other "UX optimization" problems that RP's can have when trying to communicate passkey identity to users. The kind of problems that can be solved without needing a signature over the values because it's metadata that presents a low risk of weakening RP security posture if someone "spoofs" authenticator identity. -- GitHub Notification of comment by MasterKale Please view or discuss this issue at https://github.com/w3c/webauthn/pull/1880#issuecomment-1590549020 using your GitHub account -- Sent via github-notify-ml as configured in https://github.com/w3c/github-notify-ml-config
Received on Wednesday, 14 June 2023 06:23:48 UTC