-
Notifications
You must be signed in to change notification settings - Fork 180
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
The default value of attestation
member in PublicKeyCredentialRequestOptions
should be null or must not have default value
#1941
Comments
attestation
member in PublicKeyCredentialRequestOptions
should be nullattestation
member in PublicKeyCredentialRequestOptions
should be null or must not have default value
While prototyping this feature, I found that there are some of procedures defined in the spec (step 15).
If the attestationFormats of the inputs from the webauthn client, which is based on the relying party input (attestation, attestationFormats), the authenticator would fallback to the So, the authenticator and the webauthn client might not return attestationObject in the assertion response. |
In our authenticator prototyping we are interpreting none at the ctap2.2 level the same as not requesting an attestation, or the same as CTAP2.1. If we need to return fmt: "none" for getAssertion we should sort that out quickly. The server has no idea what generation of authenticator or Browser is being used so will always need to deal with the case where there is no attestation returned even if the conveyance preference is none. |
@nicksteele I'm happy to create a draft PR and well noted. So, for RPs, there are following cases for the assertion options.
For the first case, the I'm thinking that CTAP needs to have a way to support such cases. |
This issue is made obsolete by the now merged PR #1997. |
Proposed Change
In section 5.5,
PublicKeyCredentialRequestOptions
dictionary is defined.Although asking attestation in the assertions is optional, the default value of
attestation
member isnone
attestation conveyance preference.It means that if the relying party does not set any attestation conveyance preference (do not ask attestation in assertion), the browser (webauthn client) will set the value of
attestation
member as default valuenone
, which will eventually might returnattestationObject
with none attestation statement format.I'm thinking that attestation in assertion is optional and if there is no explicit request, the attestation conveyance preference must be interpreted as I don't need any attestation for assertion which is not identical to the the
none
attestation.So, the value of
attestation
member should not be defaulting tonone
, and the absence should be treated as I don't need any attestation for assertion and give me conventional assertion for credential get operation.The text was updated successfully, but these errors were encountered: