[webauthn] Allow `platform`-based self attestation with non-zero AAGUID when `AttestationConveyancePreferenceOption` `"none"` is used (#2146)

zacknewman has just created a new issue for https://github.com/w3c/webauthn:

== Allow `platform`-based self attestation with non-zero AAGUID when `AttestationConveyancePreferenceOption` `"none"` is used ==
In L3 platform-based authenticators are allowed AAGUIDs that are not all-zero even when _`credentialCreationData.`_[`attestationConveyancePreferenceOption`](https://w3c.github.io/webauthn/#credentialcreationdata-attestationconveyancepreferenceoption) is `"none"`. As a result, there is no additional privacy obtained by replacing self attestation with none attestation. Specifically the steps describing _constructCredentialAlg_ in [ยง 5.1.3.](https://w3c.github.io/webauthn/#sctn-createCredential) should be changed from:

> 1. If the [aaguid](https://w3c.github.io/webauthn/#authdata-attestedcredentialdata-aaguid) in the [attested credential data](https://w3c.github.io/webauthn/#attested-credential-data) is 16 zero bytes, _`credentialCreationData.`_[`attestationObjectResult`](https://w3c.github.io/webauthn/#credentialcreationdata-attestationobjectresult)`.fmt` is "packed", and "x5c" is absent from _`credentialCreationData.`_[`attestationObjectResult`](https://w3c.github.io/webauthn/#credentialcreationdata-attestationobjectresult), then [self attestation](https://w3c.github.io/webauthn/#self-attestation) is being used and no further action is needed.

to

> 1. If the [aaguid](https://w3c.github.io/webauthn/#authdata-attestedcredentialdata-aaguid) in the [attested credential data](https://w3c.github.io/webauthn/#attested-credential-data) is 16 zero bytes or _authenticator_ is a [platform authenticator](https://w3c.github.io/webauthn/#platform-authenticators), _`credentialCreationData.`_[`attestationObjectResult`](https://w3c.github.io/webauthn/#credentialcreationdata-attestationobjectresult)`.fmt` is "packed", and "x5c" is absent from _`credentialCreationData.`_[`attestationObjectResult`](https://w3c.github.io/webauthn/#credentialcreationdata-attestationobjectresult), then [self attestation](https://w3c.github.io/webauthn/#self-attestation) is being used and no further action is needed.

Please view or discuss this issue at https://github.com/w3c/webauthn/issues/2146 using your GitHub account


-- 
Sent via github-notify-ml as configured in https://github.com/w3c/github-notify-ml-config

Received on Wednesday, 11 September 2024 16:45:38 UTC