- From: fazoncore via GitHub <noreply@w3.org>
- Date: Sat, 07 Feb 2026 18:55:26 +0000
- To: public-webauthn@w3.org
Proposed spec text placement (WG-friendly, backward-compatible) Suggested insertion points: - § 15 Privacy Considerations - § 14 Security Considerations - § 6.4 Attestation Formats (Implementation Guidance) Privacy Considerations (Normative) Relying Parties and user agents MUST ensure that attestation information does not enable correlation of a single authenticator across multiple Relying Parties, unless the user has explicitly consented to such correlation. Attestation materials MUST NOT contain globally unique, stable identifiers that are not cryptographically bound to the Relying Party Identifier. Security Considerations (Clarifying) Attestation mechanisms that introduce stable cross-origin identifiers may undermine the security and privacy guarantees of scoped public-key credentials and SHOULD be avoided unless strictly required by the deployment context. Attestation Formats – Implementation Guidance (Non-Normative) As a non-normative guideline, implementations SHOULD aim to keep: - attestationObject ≤ 8 KB - x5c certificate chains ≤ 6 KB CBOR Encoding – Implementation Note (Non-Normative) Authenticators and user agents are encouraged to use deterministic CBOR encoding (RFC 8949) where feasible. User agents MAY provide developer-facing diagnostics when unusually large or non-deterministic CBOR encodings are encountered. -- GitHub Notification of comment by fazoncore Please view or discuss this issue at https://github.com/w3c/webauthn/issues/2390#issuecomment-3865096806 using your GitHub account -- Sent via github-notify-ml as configured in https://github.com/w3c/github-notify-ml-config
Received on Saturday, 7 February 2026 18:55:27 UTC