- From: Emil Lundberg via GitHub <sysbot+gh@w3.org>
- Date: Thu, 16 Nov 2023 10:39:18 +0000
- To: public-webauthn@w3.org
I've interpreted this requirement to be a (mostly unenforceable, as you point out) requirement on authenticator vendors. I agree that it's not enforceable by anything other than a certification procedure, with the authenticator vendor honestly documenting its production processes to the certification body. I think it's worthwhile to have this as a normative expectation stated in the spec, but I agree it's a bit misleading that the `packed` verification procedure includes the step "Verify that _attestnCert_ meets the requirements in [ยง 8.2.1 Packed Attestation Statement Certificate Requirements](https://www.w3.org/TR/webauthn-3/#sctn-packed-attestation-cert-requirements)", and this being one of the requirements in that section. Although on the other hand, the next step of the verification procedure is: >- If _attestnCert_ contains an extension with OID 1.3.6.1.4.1.45724.1.1.4 (id-fido-gen-ce-aaguid) verify that the value of this extension matches the [aaguid](https://www.w3.org/TR/webauthn-3/#authdata-attestedcredentialdata-aaguid) in _authenticatorData_. So I guess one could also argue that that implies the RP doesn't need to verify the "If the related attestation root certificate is used for multiple authenticator models" part? -- GitHub Notification of comment by emlun Please view or discuss this issue at https://github.com/w3c/webauthn/issues/1998#issuecomment-1814188934 using your GitHub account -- Sent via github-notify-ml as configured in https://github.com/w3c/github-notify-ml-config
Received on Thursday, 16 November 2023 10:39:20 UTC