- From: philomathic_life via GitHub <sysbot+gh@w3.org>
- Date: Thu, 12 Sep 2024 14:54:35 +0000
- To: public-webauthn@w3.org
Thinking of this more, if `platform` authenticators are excused from the privacy-preserving practice of replacing an AAGUID with all zeros when passed a `"none"` `AttestationConveyancePreferenceOption`, what is the point of replacing the attestation? Is AAGUID not strictly more privacy-disrespecting than any X.509 v3 certificate chain that may exist? Specifically, I'm thinking the following also seems to work: > 1. If the [aaguid](https://w3c.github.io/webauthn/#authdata-attestedcredentialdata-aaguid) in the [attested credential data](https://w3c.github.io/webauthn/#attested-credential-data) is 16 zero bytes or _authenticator_ is a [platform authenticator](https://w3c.github.io/webauthn/#platform-authenticators), no further action is needed. No need to special case self attestation as only `platform` authenticators need to have the exception applied. -- GitHub Notification of comment by zacknewman Please view or discuss this issue at https://github.com/w3c/webauthn/issues/2146#issuecomment-2346530477 using your GitHub account -- Sent via github-notify-ml as configured in https://github.com/w3c/github-notify-ml-config
Received on Thursday, 12 September 2024 14:54:36 UTC