- From: Shane Weeden via GitHub <sysbot+gh@w3.org>
- Date: Thu, 27 Mar 2025 22:42:38 +0000
- To: public-webauthn@w3.org
Following on from the WebAuthn WG call of 2025-03-26 I undertook to check/test if using browsers today and requesting enterprise attestation would allow auto fallback to direct attestation (i.e. if enterprise attestation was not available or allowed from the authenticator for a given RPID, a direct attestation would be provided). I hosted two websites with different RPIDs (lets call then RPID1 and RPID2), and the EA-enabled authenticator I am testing with is provisioned to supply an EA for one of these but not the other. Lets say the authenticator is EA-enabled for RPID1 but not RPID2. Did some tests on my Mac. Chrome: -------- Things worked as expected. When requesting enterprise attestation in navigator.credentials.create, for RPID1 I got an EA and for RPID2 I got the equivalent of direct attestation. Safari: -------- I might be missing required browser configuration, but in any case I was unable to get a WebAuthn registration ceremony to even start when requesting enterprise attestation on Safari. The call to navigator.credentials.create returned immediately with an error: FIDO2 registration failed: NotAllowedError: The request is not allowed by the user agent or the platform in the current context, possibly because the user denied permission. Firefox: -------- I don't think FF (at least in my default configuration of it) supports sending enterprise attestation to the authenticator at all, since when I requested enterprise attestation for RPID1, I ended up with a direct (non EA) attestation. At least the ceremony didn't fail completely. Happy to get some advice from the browser vendors here if there are specific configuration requirements for EA. Regardless I don't think it hurts (and if anything makes it more prescriptive and less likely to result in implementation differences) to suggest in WebAuthn that should enterprise attestation be requested in a call to navigator.credentials.create, and one cannot be provided, that fallback to direct attestation is the natural next step. -- GitHub Notification of comment by sbweeden Please view or discuss this issue at https://github.com/w3c/webauthn/issues/1697#issuecomment-2759705989 using your GitHub account -- Sent via github-notify-ml as configured in https://github.com/w3c/github-notify-ml-config
Received on Thursday, 27 March 2025 22:42:39 UTC