- From: Nick Steele via GitHub <sysbot+gh@w3.org>
- Date: Tue, 08 Oct 2024 16:17:31 +0000
- To: public-webauthn@w3.org
I think this doesn't have to be a firm requirement, just that the the authenticator SHOULD include the AAGUID. This change was being made, as per some discussion at TPAC, with the expectation that we'll be removing authenticatorDisplayName from credProps, and allow RPs to use the AAGUID to determine the display name of the authenticator. I would say that privacy-conscious authenticators and clients should continue to zero out the AAGUID, and were probably not filling out authenticatorDisplayName if it was requested anyhow. I would say that a user doesn't have to consent to something that they could potentially obscure, either by using a fake AAGUID (aka lying) or by zeroing it out, and we should continue to only push for additional consent in the presence of attestation. -- GitHub Notification of comment by nicksteele Please view or discuss this issue at https://github.com/w3c/webauthn/issues/1962#issuecomment-2400307937 using your GitHub account -- Sent via github-notify-ml as configured in https://github.com/w3c/github-notify-ml-config
Received on Tuesday, 8 October 2024 16:17:31 UTC