Re: [webauthn] Make the default value for the attestation member in assertion options be null (#1972) from Ki-Eun Shin via GitHub on 2023-09-30 (public-webauthn@w3.org from September 2023)

From: Ki-Eun Shin via GitHub <sysbot+gh@w3.org>
Date: Sat, 30 Sep 2023 00:49:21 +0000
To: public-webauthn@w3.org
Message-ID: <issue_comment.created-1741608792-1696034959-sysbot+gh@w3.org>

> For assertion-time attestation, specifying the formats as `["none"]` to the authenticator tells it [not to return](https://fidoalliance.org/specs/fido-v2.2-rd-20230321/fido-client-to-authenticator-protocol-v2.2-rd-20230321.html#authenticatorGetAssertion) an attestation.

Indeed. While digging CTAP 2.2, I found that make credential operation also handles attestation format as well. 
@agl as far as I understand, there was no such option so that authenticator always returns the attestation for create operation. Such modification is intentional? @dwaite , @ve7jtb 

Due to such modification, the WebAuthn L3 also sends attestationFormats as ["none"] to the authenticator if the attestation options is `none`.  I think this also needs to reconsider since only CTAP 2.2+ can handle attestationFormats for create.

-- 
GitHub Notification of comment by Kieun
Please view or discuss this issue at https://github.com/w3c/webauthn/pull/1972#issuecomment-1741608792 using your GitHub account


-- 
Sent via github-notify-ml as configured in https://github.com/w3c/github-notify-ml-config

Received on Saturday, 30 September 2023 00:49:23 UTC