[webauthn] Should credentials requested with attestation=none include an AAGUID (#1962) from Pascoe via GitHub on 2023-09-12 (public-webauthn@w3.org from September 2023)

From: Pascoe via GitHub <sysbot+gh@w3.org>
Date: Tue, 12 Sep 2023 14:04:10 +0000
To: public-webauthn@w3.org
Message-ID: <issues.opened-1892599715-1694527448-sysbot+gh@w3.org>

pascoej has just created a new issue for https://github.com/w3c/webauthn:

== Should credentials requested with attestation=none include an AAGUID ==
As per processing in https://w3c.github.io/webauthn/#CreateCred-async-loop, the AAGUID is zeroed out if a none attestation is given. However, at least for the platform authenticator, WebKit is the only one to actually perform this step. The other implementations do not zero out the AAGUID and we have gotten requests to stop zeroing it out.


Should we change the spec to not zero out the AAGUID in the steps stating

> credentialCreationData.[attestationConveyancePreferenceOption](https://w3c.github.io/webauthn/#credentialcreationdata-attestationconveyancepreferenceoption)’s value is ... Otherwise ... Replace the [AAGUID](https://w3c.github.io/webauthn/#authdata-attestedcredentialdata-aaguid) in the [attested credential data](https://w3c.github.io/webauthn/#attested-credential-data) with 16 zero bytes.

Please view or discuss this issue at https://github.com/w3c/webauthn/issues/1962 using your GitHub account


-- 
Sent via github-notify-ml as configured in https://github.com/w3c/github-notify-ml-config

Received on Tuesday, 12 September 2023 14:04:13 UTC