WebAuthn Clients should NOT zero out AAGUIDs from security keys when attestation is none

[timcappalli]

There has been some confusion across multiple issues, so creating another one 🫠.

In #2058, spec text was added to only zero out AAGUIDs for none attestations when the authenticator was not a platform authenticator.

Proposal is to remove this change altogether, which would allow AAGUIDs from security keys to not be zeroed out.

Remove:

If authenticator is not a [platform authenticator](https://w3c.github.io/webauthn/#platform-authenticators) then replace the [aaguid](https://w3c.github.io/webauthn/#authdata-attestedcredentialdata-aaguid) in the [attested credential data](https://w3c.github.io/webauthn/#attested-credential-data) with 16 zero bytes.

This makes the behavior the same across all authenticator types from the client perspective.

[zacknewman]

§ 5.1.3. states:

When this method is invoked, the user agent MUST execute the following algorithm:

This means that not only are AAGUIDs "allowed" to not be zeroed out, but that it is in fact forbidden to do so as that would violate the algorithm which MUST be followed. Am I being too pedantic here, or are user agents in fact not allowed to zero out AAGUID?

[emlun]

@zacknewman I think your conclusion is accurate - clients are expected to conform to the normative algorithm definitions.