[webauthn] RP guidelines should allow RP to not check attestation from Jeffrey Yasskin via GitHub on 2017-09-19 (public-webauthn@w3.org from September 2017)

From: Jeffrey Yasskin via GitHub <sysbot+gh@w3.org>
Date: Tue, 19 Sep 2017 16:29:09 +0000
To: public-webauthn@w3.org
Message-ID: <issues.opened-258884440-1505838539-sysbot+gh@w3.org>

jyasskin has just created a new issue for https://github.com/w3c/webauthn:

== RP guidelines should allow RP to not check attestation ==
A Relying Party who merely wants to use public-key credentials without caring how well the private key is protected could get by without including code to parse the attestations, especially after #557 is fixed. However, as @emlun pointed out there, http://w3c.github.io/webauthn/#registering-a-new-credential currently says the RP MUST validate the attestation statement they receive. We should probably provide an explicit path in that algorithm to avoid parsing the attestation statement.

Please view or discuss this issue at https://github.com/w3c/webauthn/issues/576 using your GitHub account

Received on Tuesday, 19 September 2017 16:29:01 UTC