[webauthn] Closed Pull Request: Make the default value for the attestation member in assertion options be null from Matthew Miller via GitHub on 2024-01-10 (public-webauthn@w3.org from January 2024)

From: Matthew Miller via GitHub <sysbot+gh@w3.org>
Date: Wed, 10 Jan 2024 20:26:54 +0000
To: public-webauthn@w3.org
Message-ID: <pull_request.closed-1526273086-1704918410-sysbot+gh@w3.org>

MasterKale has just closed Kieun's pull request 1972 for https://github.com/w3c/webauthn:

== Make the default value for the attestation member in assertion options be null ==
The default value of attestation options in **assertion** was `none` and the intension was that the relying party does not want any attestation at assertion time.  In this case, the user agent and authenticator does not return any `attestationObject` which is backward compatible.
But, for `none` attestation options in **attestation** **does** always return attestation statement including `none` attestation statement or any other attestation statement with `self` attestation.

Now, with this PR, the default of attestation options in **assertion** is `null`.
So, if the RP does not set attestation option member value, the user agent now handles that value as `null`. In this case, the user agent does not request any attestation to the authenticator by creating the single entry list with `none` for attestationFormats, and it does not return attestationObject as a assertion response.

In other cases, if the RP explicitly sets attestation options including `none`, the user agent now sends such request like the way of attestation processing, and if any authenticator supports such requests, the authenticator may return attestation in assertions. Then, the user agent handles such response from the authenticator with additional steps such as replacing some potentially identifiable information.


Fixes #1941


<!--
    This comment and the below content is programmatically generated.
    You may add a comma-separated list of anchors you'd like a
    direct link to below (e.g. #idl-serializers, #idl-sequence):

    Don't remove this comment or modify anything below this line.
    If you don't want a preview generated for this pull request,
    just replace the whole of this comment's content by "no preview"
    and remove what's below.
-->
***
<a href="https://pr-preview.s3.amazonaws.com/Kieun/webauthn/pull/1972.html" title="Last updated on Sep 22, 2023, 10:01 AM UTC (021293c)">Preview</a> | <a href="https://pr-preview.s3.amazonaws.com/w3c/webauthn/1972/baf774a...Kieun:021293c.html" title="Last updated on Sep 22, 2023, 10:01 AM UTC (021293c)">Diff</a>

See https://github.com/w3c/webauthn/pull/1972


-- 
Sent via github-notify-ml as configured in https://github.com/w3c/github-notify-ml-config

Received on Wednesday, 10 January 2024 20:26:57 UTC