- From: David Waite via GitHub <sysbot+gh@w3.org>
- Date: Wed, 18 Sep 2024 19:44:00 +0000
- To: public-webauthn@w3.org
> I find it disappointing that there is no defined structure for the data contained within the enterprise OID extension, similar to what there is for the packed attestation OID 1.3.6.1.4.1.45724.1.1.4. Makes it impossible for an RP to build a product that has consistent processing for different enterprise attestations. The value is meant to be unique per AAGUID as an octet string, so comparison itself is defined. The non-defined, vendor specific part is how those binary values are supplied. If the authenticator is listed in a CSV with a serial number of 12345678, there isn't a single industry process to convert that into the OCTET_STRING for comparison. Likewise, if there is a serial number is printed onto the authenticator, there isn't a process for how the field can be displayed in a way that can be used to correlate the two (or that the two actually be the same). > I realise this is not within WebAuthn WG's domain, but still... As for WebAuthn, perhaps text that says it must be validated _using a vendor specified process_, or similar? I think this is a good item to add to the hypothetical implementor's guidance for enterprise attestation. -- GitHub Notification of comment by dwaite Please view or discuss this issue at https://github.com/w3c/webauthn/pull/1954#issuecomment-2359272154 using your GitHub account -- Sent via github-notify-ml as configured in https://github.com/w3c/github-notify-ml-config
Received on Wednesday, 18 September 2024 19:44:01 UTC