- From: John Bradley via GitHub <sysbot+gh@w3.org>
- Date: Thu, 08 Aug 2024 00:58:38 +0000
- To: public-webauthn@w3.org
As currently defined by Fido it is an opaque blob. That allows vendors to encode ehat they like in it. Some may encode a intiger and others my have alpha numeric serials. We registerd the OID so that Fido servers could have a standard place to find the info. The RP should be using it to look up what the public key for the attestation should be in the information they receved from the vendor when purchasing the key. So yes there should probably be some dicument outside of webAuthn to explain what the RP could/should do with an enterprise attestation. Diffrent RP will pronbably do diffrent things, Example: 1) check the attestation sig and AAGUID to see if it is one that they purchased. 2) check the opaque serial string to see if it matches a key that was assigned to a specific user, or just record the serial of the key durring registration. For example, Google, if a serial is seen coming in from a new user when they create a credential, any credentials created by another user with that same serial are deprovisiond from those users (This is a sort of cleanup). 3) lookup the attestation public key from the serial blob from outof band provisioning information from the vendor and reject if the key dosen't match the serial. Some combinatio of all of those are possible. -- GitHub Notification of comment by ve7jtb Please view or discuss this issue at https://github.com/w3c/webauthn/pull/1954#issuecomment-2274667098 using your GitHub account -- Sent via github-notify-ml as configured in https://github.com/w3c/github-notify-ml-config
Received on Thursday, 8 August 2024 00:58:38 UTC