Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

WebAuthn Clients should NOT zero out AAGUIDs from security keys when attestation is none #2198

Closed
timcappalli opened this issue Nov 13, 2024 · 2 comments · Fixed by #2199
Closed

WebAuthn Clients should NOT zero out AAGUIDs from security keys when attestation is none #2198

timcappalli opened this issue Nov 13, 2024 · 2 comments · Fixed by #2199
Assignees
@ve7jtb
Labels
type:technical

Comments

@timcappalli
Copy link
Member

There has been some confusion across multiple issues, so creating another one 🫠.

In #2058, spec text was added to only zero out AAGUIDs for none attestations when the authenticator was not a platform authenticator.

Proposal is to remove this change altogether, which would allow AAGUIDs from security keys to not be zeroed out.

Remove:

If authenticator is not a [platform authenticator](https://w3c.github.io/webauthn/#platform-authenticators) then replace the [aaguid](https://w3c.github.io/webauthn/#authdata-attestedcredentialdata-aaguid) in the [attested credential data](https://w3c.github.io/webauthn/#attested-credential-data) with 16 zero bytes.

This makes the behavior the same across all authenticator types from the client perspective.
@timcappalli timcappalli changed the title WebAuthn Clients should pass AAGUIDs from security keys when attestation is none WebAuthn Clients should NOT zero out AAGUIDs from security keys when attestation is none Nov 13, 2024
@ve7jtb ve7jtb mentioned this issue Nov 13, 2024
Merged
7 tasks
@zacknewman
Copy link
Contributor

zacknewman commented Nov 13, 2024
edited
Loading

§ 5.1.3. states:

When this method is invoked, the user agent MUST execute the following algorithm:

This means that not only are AAGUIDs "allowed" to not be zeroed out, but that it is in fact forbidden to do so as that would violate the algorithm which MUST be followed. Am I being too pedantic here, or are user agents in fact not allowed to zero out AAGUID?

@emlun
Copy link
Member

emlun commented Nov 14, 2024

@zacknewman I think your conclusion is accurate - clients are expected to conform to the normative algorithm definitions.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@ve7jtb ve7jtb

Labels
type:technical
Projects
None yet
Milestone
No milestone
4 participants
@ve7jtb @emlun @timcappalli @zacknewman