Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Don't zero platform-authenticator AAGUIDs. #2058

Merged
merged 1 commit into from
May 15, 2024
Merged

Don't zero platform-authenticator AAGUIDs. #2058

merged 1 commit into from
May 15, 2024

Conversation

agl
Copy link
Contributor

@agl agl commented Apr 20, 2024
edited by pr-preview bot
Loading

As discussed at the face-to-face, this reflects current practice where the AAGUID of platform authenticators are passed through even when attestation is not requested.

Preview | Diff

Don't zero platform-authenticator AAGUIDs.
8f87400 
As discussed at the face-to-face, this reflects current practice where
the AAGUID of platform authenticators are passed through even when
attestation is not requested.
@nadalin nadalin added this to the L3-WD-02 milestone May 1, 2024
@ve7jtb
Copy link
Contributor

ve7jtb commented May 1, 2024

This should apply to all authenticators not just pluggable passkey providers.

@emlun
Copy link
Member

emlun commented May 2, 2024

I'm sure we've discussed this at some point, but please remind me: what is the issue with the currently specified behaviour of zeroing the AAGUID for all authenticators, including platform authenticators, unless attestation is requested?

@timcappalli
Copy link
Member

I'm sure we've discussed this at some point, but please remind me: what is the issue with the currently specified behaviour of zeroing the AAGUID for all authenticators, including platform authenticators, unless attestation is requested?

The AAGUID is valuable for end user credential names/icons, so many in market deployments are passing an AAGUID even when attestation is not requested. There was consensus in the group that AAGUID should be allowed without attestation.

At the F2F a few weeks back, there were concerns about only allowing this for platform providers, so the consensus was that there will be 2 PRs: one that just allows the current behavior (this one) and another that allows AAGUIDs from all authenticators.

@jschanck
Copy link

jschanck commented May 8, 2024

Is this PR is intended to allow clients to return the AAGUID? Or is it mandating that clients return the AAGUID?

@agl agl merged commit 88905f2 into main May 15, 2024
2 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@pascoej pascoej pascoej approved these changes

@MasterKale MasterKale MasterKale approved these changes

@akshayku akshayku akshayku approved these changes

Assignees

@agl agl

Labels
type:technical
Projects
None yet
Milestone
L3-WD-02
Development

Successfully merging this pull request may close these issues.

None yet
9 participants
@agl @ve7jtb @emlun @timcappalli @jschanck @pascoej @MasterKale @akshayku @nadalin