- From: Emil Lundberg via GitHub <sysbot+gh@w3.org>
- Date: Wed, 03 Jul 2024 14:13:03 +0000
- To: public-webauthn@w3.org
The text looks mostly fine to me, but I wonder if we even need to comment at all on the "higher degree of variance ..." etc. To me it seems rather obvious, and rather irrelevant to the WebAuthn spec, that some certification bodies might impose additional requirements. I would also hesitate to write "are often used" about a feature not yet deployed. :slightly_smiling_face: So yeah, I would omit the second paragraph. Probably the first one too, leaving just the actual requirements. I reckon the use cases of a unique serial number are probably obvious enough. > 8.2.2. Certificate Requirements for Enterprise Packed Attestation Statements > The Extension OID 1.3.6.1.4.1.45724.1.1.2 ( id-fido-gen-ce-sernum ) MAY be present, and if so MUST indicate a unique value per device against a particular AAGUID. This value MUST remain constant through factory resets, but MAY be distinct from any other serial number or other hardware identifier associated with the device. This extension MUST NOT be marked as critical, and the corresponding value is encoded as an OCTET STRING. This extension MUST NOT be present in non-enterprise attestations. I also haven't yet seen a clear answer to [my question above](https://github.com/w3c/webauthn/pull/1954#discussion_r1311514087): is this OCTET STRING value in general an encoded integer, or just an opaque octet string with undefined internal structure? -- GitHub Notification of comment by emlun Please view or discuss this issue at https://github.com/w3c/webauthn/pull/1954#issuecomment-2206227995 using your GitHub account -- Sent via github-notify-ml as configured in https://github.com/w3c/github-notify-ml-config
Received on Wednesday, 3 July 2024 14:13:04 UTC