Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Don't zero platform-authenticator AAGUIDs. #2058

Merged
merged 1 commit into from
May 15, 2024
Merged

Don't zero platform-authenticator AAGUIDs. #2058

merged 1 commit into from
May 15, 2024

Conversation

agl
Copy link
Contributor

@agl agl commented Apr 20, 2024

As discussed at the face-to-face, this reflects current practice where the AAGUID of platform authenticators are passed through even when attestation is not requested.


Preview | Diff

As discussed at the face-to-face, this reflects current practice where
the AAGUID of platform authenticators are passed through even when
attestation is not requested.
@nadalin nadalin added this to the L3-WD-02 milestone May 1, 2024
@ve7jtb
Copy link
Contributor

ve7jtb commented May 1, 2024

This should apply to all authenticators not just pluggable passkey providers.

@emlun
Copy link
Member

emlun commented May 2, 2024

I'm sure we've discussed this at some point, but please remind me: what is the issue with the currently specified behaviour of zeroing the AAGUID for all authenticators, including platform authenticators, unless attestation is requested?

@timcappalli
Copy link
Member

I'm sure we've discussed this at some point, but please remind me: what is the issue with the currently specified behaviour of zeroing the AAGUID for all authenticators, including platform authenticators, unless attestation is requested?

The AAGUID is valuable for end user credential names/icons, so many in market deployments are passing an AAGUID even when attestation is not requested. There was consensus in the group that AAGUID should be allowed without attestation.

At the F2F a few weeks back, there were concerns about only allowing this for platform providers, so the consensus was that there will be 2 PRs: one that just allows the current behavior (this one) and another that allows AAGUIDs from all authenticators.

@jschanck
Copy link

jschanck commented May 8, 2024

Is this PR is intended to allow clients to return the AAGUID? Or is it mandating that clients return the AAGUID?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Development

Successfully merging this pull request may close these issues.

9 participants