Open pascoej opened 1 year ago
There are in flight discussions regarding this, but I plan to make a PR removing the language. At least for platform credentials in case we need it.
From the f2f: Chrome will likely still zero out the aaguid for security keys, as SKs can stuff persistent identifiers in them. It would be nice for the Apple platform authenticator to have a non-zero aaguid though (:
This would be helpful for 3rd party passkey providers that wish to convey this identity to the RP for UX purposes. Dashlane is currently providing an AAGUID no matter the attestation request.
Assign to @agl: update spec to say zero out only for non-platform authenticators. Think about enterprise attestation.
As per processing in https://w3c.github.io/webauthn/#CreateCred-async-loop, the AAGUID is zeroed out if a none attestation is given. However, at least for the platform authenticator, WebKit is the only one to actually perform this step. The other implementations do not zero out the AAGUID and we have gotten requests to stop zeroing it out.
Should we change the spec to not zero out the AAGUID in the steps stating:
?