webauthn icon indicating copy to clipboard operation
webauthn copied to clipboard

Published 20 hours ago verified publisher icon w3c

Don't zero platform-authenticator AAGUIDs.

Open agl opened this issue 3 months ago • 4 comments

As discussed at the face-to-face, this reflects current practice where the AAGUID of platform authenticators are passed through even when attestation is not requested.

Preview | Diff

agl avatar Apr 20 '24 22:04 agl

This should apply to all authenticators not just pluggable passkey providers.

ve7jtb avatar May 01 '24 19:05 ve7jtb

I'm sure we've discussed this at some point, but please remind me: what is the issue with the currently specified behaviour of zeroing the AAGUID for all authenticators, including platform authenticators, unless attestation is requested?

emlun avatar May 02 '24 13:05 emlun

I'm sure we've discussed this at some point, but please remind me: what is the issue with the currently specified behaviour of zeroing the AAGUID for all authenticators, including platform authenticators, unless attestation is requested?

The AAGUID is valuable for end user credential names/icons, so many in market deployments are passing an AAGUID even when attestation is not requested. There was consensus in the group that AAGUID should be allowed without attestation.

At the F2F a few weeks back, there were concerns about only allowing this for platform providers, so the consensus was that there will be 2 PRs: one that just allows the current behavior (this one) and another that allows AAGUIDs from all authenticators.

timcappalli avatar May 02 '24 13:05 timcappalli

Is this PR is intended to allow clients to return the AAGUID? Or is it mandating that clients return the AAGUID?

jschanck avatar May 08 '24 17:05 jschanck