Re: [webauthn] Allow `platform`-based self attestation with non-zero AAGUID when `AttestationConveyancePreferenceOption` `"none"` is used (#2146)

Thinking of this more, if `platform` authenticators are excused from the privacy-preserving practice of replacing an AAGUID with all zeros when passed a `"none"` `AttestationConveyancePreferenceOption`, what is the point of replacing the attestation? Is AAGUID not strictly more privacy-disrespecting than any X.509 v3 certificate chain that may exist? Specifically, I'm thinking the following also seems to work:

> 1. If the [aaguid](https://w3c.github.io/webauthn/#authdata-attestedcredentialdata-aaguid) in the [attested credential data](https://w3c.github.io/webauthn/#attested-credential-data) is 16 zero bytes or _authenticator_ is a [platform authenticator](https://w3c.github.io/webauthn/#platform-authenticators), no further action is needed.

No need to special case self attestation as only `platform` authenticators need to have the exception applied.

-- 
GitHub Notification of comment by zacknewman
Please view or discuss this issue at https://github.com/w3c/webauthn/issues/2146#issuecomment-2346530477 using your GitHub account


-- 
Sent via github-notify-ml as configured in https://github.com/w3c/github-notify-ml-config

Received on Thursday, 12 September 2024 14:54:36 UTC