[webauthn] Proposal: Scoped Attestation Privacy + Practical CBOR Size Guidance (WebAuthn L3) (#2390) from fazoncore via GitHub on 2026-02-07 (public-webauthn@w3.org from February 2026)

From: fazoncore via GitHub <noreply@w3.org>
Date: Sat, 07 Feb 2026 18:52:29 +0000
To: public-webauthn@w3.org
Message-ID: <issues.opened-3910948556-1770490347-noreply@w3.org>

fazoncore has just created a new issue for https://github.com/w3c/webauthn:

== Proposal: Scoped Attestation Privacy + Practical CBOR Size Guidance (WebAuthn L3) ==
Context
WebAuthn Level 3 defines scoped public-key credentials and access restrictions bound to the RP ID / origins. However, attestation responses can still introduce cross-RP correlation risks and operational/transport constraints due to unbounded attestationObject size.

Problem
1) Scoped-credential privacy is well-defined at the credential access layer, but attestation materials can contain stable identifiers (e.g., cert chain details) that enable correlation across RPs.
2) There is no practical guidance on attestationObject envelope size, despite known handshake/transport constraints (notably QUIC Initial datagram rules and typical MTU realities). QUIC requires Initial packets to be padded to at least 1200 bytes. RFC 9000. https://datatracker.ietf.org/doc/html/rfc9000
3) CBOR encoding choices vary widely; deterministic encoding guidance exists in CBOR (RFC 8949) but is not surfaced as best practice for WebAuthn objects. https://datatracker.ietf.org/doc/html/rfc8949

Proposal (Normative + Non-Normative)
A) Scoped Attestation Privacy (Normative)
- Authenticators and UAs MUST NOT include attestation information that enables correlation of a single authenticator across multiple Relying Parties, unless explicitly authorized by the user.
- Attestation certificates MUST NOT encode globally unique, stable identifiers usable for cross-RP tracking.
- Attestation material MUST be RP-scoped or cryptographically unlinkable across RPs.

B) Practical Size Guidance (Non-Normative Best Practice)
Recommend that implementations SHOULD aim to keep:
- attestationObject <= 8 KB
- x5c (certificate chain) <= 6 KB
- total PublicKeyCredential response payload (excluding signature) <= 10 KB

C) CBOR Encoding Guidance (Non-Normative)
- Authenticators SHOULD use deterministic CBOR encoding where feasible (RFC 8949 deterministic encoding rules).
- Avoid redundant map keys and optional fields unless semantically required.
- UAs MAY log/warn (non-fatal) on unusual size / non-deterministic CBOR where it can improve developer visibility.

Testability / Conformance Ideas
1) Cross-RP Correlation Test (privacy): compare attestationObject signals across distinct origins.
2) Size Envelope Test: warn when guidance thresholds are exceeded.
3) CBOR Determinism Test: warn on non-deterministic / non-canonicalizable encodings.

Requested WG Feedback
1) Should scoped attestation privacy be explicitly normative (MUST NOT allow cross-RP correlators)?
2) Are the suggested size envelopes acceptable as non-normative guidance?
3) Where should CBOR guidance live (core spec vs. implementation note)?

Links
- WebAuthn L3: https://www.w3.org/TR/webauthn-3/
- RFC 8949 (CBOR): https://datatracker.ietf.org/doc/html/rfc8949
- RFC 9000 (QUIC): https://datatracker.ietf.org/doc/html/rfc9000


Please view or discuss this issue at https://github.com/w3c/webauthn/issues/2390 using your GitHub account


-- 
Sent via github-notify-ml as configured in https://github.com/w3c/github-notify-ml-config

Received on Saturday, 7 February 2026 18:52:30 UTC