Include enterpriseAttestation in getClientClientCapabilities #2051
Conversation
timcappalli
requested review from
agl,
ve7jtb,
emlun,
pascoej,
MasterKale,
jschanck and
akshayku
|
@msft-bob looks like you're not in the repo so I can't assign review to you, but flagging for your feedback via comment |
There was a problem hiding this comment.
This probably needs to take into account not only whether the client can support enterprise attestation, but also whether enterprise attestation is allowed for the calling RP.
There's also the possible complication that it might be allowed by the client, but not by the authenticator if it is configured for vendor-facilitated enterprise attestation instead of platform-managed enterprise attestation. Do we need to care about that here? @ve7jtb
@emlun the intent was to only convey whether the WebAuthn client supported it, not whether it was allowed for a given origin/RP. |
|
Ah, ok. In that case it's probably worth mentioning in the |
|
The type error if an attestation type is not supported should not be a reason to merge this. Browsers should not error out on unknown values to begin with, and we should not patch non compliant behaviour with more feature detection. However, when an RP requires Enterprise Attestation, it probably doesn't make any sense to continue the ceremony when it has no chance to succeed -- so I can see value in this capability. My only concern is there will be a gap until we get the browsers updated where EA will be supported, but this capability will not. Are we risking those RPs assuming EA is not supported when it is during that gap? |
|
Closing for the time being. |
enterpriseAttestationto getClientClientCapabilities enumResolves #1742
Preview | Diff