- From: philomathic_life via GitHub <sysbot+gh@w3.org>
- Date: Wed, 09 Oct 2024 02:00:02 +0000
- To: public-webauthn@w3.org
> I would say that a user doesn't have to consent to something that they could potentially obscure, either by using a fake AAGUID (aka lying) or by zeroing it out How can I zero out an AAGUID? Do platform authenticators provide the ability to artificially set an AAGUID? Clearly I cannot zero out the AAGUID in the response since that would invalidate the signature. > and we should continue to only push for additional consent in the presence of attestation. To be clear, you mean "push for additional consent in the presence of attestation _for roaming authenticators_", correct? By including the AAGUID, consent should not be asked for _at all_ even in the presence of attestation for platform authenticators since it's not asked or respected in good faith (i.e., it's a façade): * No attestation is requested and no consent is asked: AAGUID is included. * Attestation is requested, consent is asked, consent is rejected: AAGUID is _still_ included. As a user, I have zero faith in the system since you are including AAGUID no matter what even when I explicitly do not give my consent. If you are suggesting that when consent is asked (due to attestation being requested) and subsequently rejected, AAGUID should not be included even for platform authenticators; then that's "proof" AAGUID is something a user should be able to control which in turn implies consent should always be requested even without attestation since AAGUID is involved. The only way I could resolve any of this is if attestation is somehow more "revealing" than an AAGUID which I'm not sure I'm sold on since for many attestations the root CA certificate is publicly known and can likely be re-derived in the presence of an AAGUID at which point having the AAGUID essentially means having the attestation (from a privacy perspective). -- GitHub Notification of comment by zacknewman Please view or discuss this issue at https://github.com/w3c/webauthn/issues/1962#issuecomment-2401121829 using your GitHub account -- Sent via github-notify-ml as configured in https://github.com/w3c/github-notify-ml-config
Received on Wednesday, 9 October 2024 02:00:03 UTC