Add RP conformance section on ignoring attestation

w3c · Mar 7, 2018 · cb06c8a · cb06c8a
1 parent 828b5be
commit cb06c8a
Showing 1 changed file with 16 additions and 0 deletions.
diff --git a/index.bs b/index.bs
@@ -283,6 +283,22 @@ main benefits include:
     [=authenticator=].
 1. The [=[RP]=] does not need to store any secrets or sensitive information in order to gain the above benefits.
 
+### Ignoring Attestation ### {#sctn-conformance-ignoring-attestation}
+
+When [[#registering-a-new-credential|registering a new credential]], the [=[RP]=] MAY choose to accept an [=attestation
+statement=] with [=self attestation=] or [=no attestation statement|no attestation=], or to not verify the [=attestation
+statement=] at all. In all of these cases the [=[RP]=] loses much of benefit (3) above, but retains the other benefits.
+
+In these cases it is possible for a man-in-the-middle attacker - for example, a malicious [=client=] or script - to replace the
+[=credential public key=] to be registered, and subsequently tamper with any future [=assertion=] [=ceremony=] that passes through
+the same attacker. [=Authentication=] [=ceremonies=] are still highly resistant to man-in-the-middle attacks, but only against
+attackers that were not present at the time of [=registration=]. Note, however, that such an attack would be easy to detect and
+very difficult to maintain, since any [=assertion=] [=ceremony=] that the same attacker does not or cannot tamper with would
+always fail.
+
+The [=[RP]=] SHOULD consider the above in its threat model when deciding its policy on what [=attestation statements=] to accept.
+
+
 
 ## All Conformance Classes ## {#conforming-all-classes}