[webauthn] WebAuthn Clients should pass AAGUIDs from security keys when attestation is none (#2198) from Tim Cappalli via GitHub on 2024-11-13 (public-webauthn@w3.org from November 2024)

From: Tim Cappalli via GitHub <sysbot+gh@w3.org>
Date: Wed, 13 Nov 2024 20:51:23 +0000
To: public-webauthn@w3.org
Message-ID: <issues.opened-2656760371-1731531080-sysbot+gh@w3.org>

timcappalli has just created a new issue for https://github.com/w3c/webauthn:

== WebAuthn Clients should pass AAGUIDs from security keys when attestation is none ==
There has been some confusion across multiple issues, so creating another one 🫠.

In #2058, spec text was added to only zero out AAGUIDs for none attestations when the authenticator was *not* a platform authenticator.

Proposal is to remove this change altogether, which would allow AAGUIDs from security keys to not be zeroed out.

Remove:
```
If authenticator is not a [platform authenticator](https://w3c.github.io/webauthn/#platform-authenticators) then replace the [aaguid](https://w3c.github.io/webauthn/#authdata-attestedcredentialdata-aaguid) in the [attested credential data](https://w3c.github.io/webauthn/#attested-credential-data) with 16 zero bytes.
```

This makes the behavior the same across all authenticator types from the client perspective.

Please view or discuss this issue at https://github.com/w3c/webauthn/issues/2198 using your GitHub account


-- 
Sent via github-notify-ml as configured in https://github.com/w3c/github-notify-ml-config

Received on Wednesday, 13 November 2024 20:51:24 UTC