- From: Matthew Miller via GitHub <noreply@w3.org>
- Date: Tue, 14 Oct 2025 22:35:37 +0000
- To: public-webauthn@w3.org
> One ask is that the signal be as reliable as possible- if it can be signed as part of the authentication response that would be preferred over an unsigned client extension. This is I think worth spending a little bit of time on. The credProps path from last year still seems sensible to me a year later. But I also like Shane's idea of adding the AAGUID to part of the data that the signature is generated over during auth to give a bit of tamper resistance to AAGUID's conveyance. Not for using it for policy, but just a modicum of trust that the authenticator was able to convey its unattested identity. -- GitHub Notification of comment by MasterKale Please view or discuss this issue at https://github.com/w3c/webauthn/issues/2340#issuecomment-3403831503 using your GitHub account -- Sent via github-notify-ml as configured in https://github.com/w3c/github-notify-ml-config
Received on Tuesday, 14 October 2025 22:35:37 UTC