Re: [webauthn] Enterprise packed attestation guidance (#1954) from Shane Weeden via GitHub on 2024-09-18 (public-webauthn@w3.org from September 2024)

From: Shane Weeden via GitHub <sysbot+gh@w3.org>
Date: Wed, 18 Sep 2024 19:32:22 +0000
To: public-webauthn@w3.org
Message-ID: <issue_comment.created-2359253155-1726687939-sysbot+gh@w3.org>

> @sbweeden and @emlun, since the enterprise attestation requirements really amount to one optional attribute, do you feel this section needs processing requirements or that perhaps we should instead have separate, generalized RP guidance outside "packed" attestations?

I find it disappointing that there is no defined structure for the data contained within the enterprise OID extension, similar to what this is for the packed attestation OID 1.3.6.1.4.1.45724.1.1.4. Makes it impossible for an RP to build a product that has consistent processing for different enterprise attestations.

I realise this is not within WebAuthn WG's domain, but still... As for WebAuthn, perhaps text that says it must be validated _using a vendor specified process_, or similar?

-- 
GitHub Notification of comment by sbweeden
Please view or discuss this issue at https://github.com/w3c/webauthn/pull/1954#issuecomment-2359253155 using your GitHub account


-- 
Sent via github-notify-ml as configured in https://github.com/w3c/github-notify-ml-config

Received on Wednesday, 18 September 2024 19:32:23 UTC