Web Authentication - Support None Attestation Statement Format with "direct" Attestation Conveyance
Categories
(Core :: DOM: Web Authentication, defect, P2)
Tracking
()
People
(Reporter: cgh.block, Assigned: jschanck)
References
Details
User Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/115.0.0.0 Safari/537.36
Steps to reproduce:
I have a use case where the special authenticator returns None Attestation Statement Format { fmt: "none", authenticatorData, attStmt: emptyMap } in response to MakeCredential.
In the navigator.credentials.create() API, provide the attestation value as "direct" .
Actual results:
The response from this API returns error message: "The operation failed for an unknown transient
Expected results:
An attestation object with "fmt": "none" is expected.
Both Safari and Chrome provide correct responses for the same scenario.
According to https://www.w3.org/TR/webauthn-2:
8.7. None Attestation Statement Format
The authenticator MAY also directly generate attestation statements of this format if the authenticator does not support attestation.
The authenticator can return a None Attestation Statement. And when Attestation Conveyance is set to "direct", the client should return an unaltered attestation statement format to the Relying Party.
"direct" or "enterprise" Convey the authenticator's AAGUID and attestation statement, unaltered, to the Relying Party.
|
Assignee | |
Comment 1•10 months ago
|
||
Thanks for this report. We have a fix for this upstream in authenticator-rs which we'll merge to Firefox in the 118 cycle.
|
|
Assignee | |
Comment 2•10 months ago
|
||
The upstream patch landed in Firefox in Bug 1848172.
Description
•