webauthn icon indicating copy to clipboard operation
webauthn copied to clipboard

Published 20 hours ago verified publisher icon w3c

Should credentials requested with attestation=none include an AAGUID?

Open pascoej opened this issue 1 year ago • 10 comments

As per processing in https://w3c.github.io/webauthn/#CreateCred-async-loop, the AAGUID is zeroed out if a none attestation is given. However, at least for the platform authenticator, WebKit is the only one to actually perform this step. The other implementations do not zero out the AAGUID and we have gotten requests to stop zeroing it out.

Should we change the spec to not zero out the AAGUID in the steps stating:

credentialCreationData.attestationConveyancePreferenceOption’s value is ... Otherwise ... Replace the AAGUID in the attested credential data with 16 zero bytes.

?

pascoej avatar Sep 12 '23 14:09 pascoej