Emil Lundberg
Emil Lundberg
While we indeed don't currently have a way for RPs to do this - except overwriting the existing credential with a new one by setting the same `user.id` - CTAP2.1...
I'm not sure. We discussed this a bit on the [2022-07-27 meeting](https://www.w3.org/2022/07/27-webauthn-minutes.html), and there's tentative support for "something" to support this. It gets complicated because external authenticators are intermittently connected,...
I don't think any change is necessary. The combination of step 12: >Perform CBOR decoding on the _attestationObject_ field [...] to obtain [...] the authenticator data _authData_ and step 16:...
Fair point. See also: #1064
Sorry for the delay. But coming back to this, I no longer feel convinced that any change is necessary. The primary argument in favour of a change is that you...
Sorry for leaving this hanging. Is this now resolved by PR #1773?
> Proponents are not expecting it to be in L3. L2, if I may. :) (Not expecting this to make L2, probably more suited to L3)
> #### AAGUID transmission > > Doesn't seem necessary to leak this to RPs? RP learn and, if they demand, can judge attestation for recovery authenticators when a recovery is...
>I don't believe that we would want to transmit AAGUIDs in a non-enterprise context. I suggested in yesterday's WG call that we could include a parameter `AttestationConveyancePreference attestation` in the...
I've now added an `attestation` parameter to the extension input for enabling/disabling AAGUIDs, and also rewritten the authenticator inputs/outputs as CDDL instead of WebIDL. I didn't add any algorithm negotiation...