Closed Bug 1848077 Opened 10 months ago Closed 10 months ago

Web Authentication - Support None Attestation Statement Format with "direct" Attestation Conveyance

Categories

(Core :: DOM: Web Authentication, defect, P2)

Firefox 116
defect

Tracking

()

RESOLVED FIXED
118 Branch

People

(Reporter: cgh.block, Assigned: jschanck)

References

Details

User Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/115.0.0.0 Safari/537.36

Steps to reproduce:

I have a use case where the special authenticator returns None Attestation Statement Format { fmt: "none", authenticatorData, attStmt: emptyMap } in response to MakeCredential.
In the navigator.credentials.create() API, provide the attestation value as "direct" .

Actual results:

The response from this API returns error message: "The operation failed for an unknown transient

Expected results:

An attestation object with "fmt": "none" is expected.
Both Safari and Chrome provide correct responses for the same scenario.

According to https://www.w3.org/TR/webauthn-2:

8.7. None Attestation Statement Format
The authenticator MAY also directly generate attestation statements of this format if the authenticator does not support attestation.

The authenticator can return a None Attestation Statement. And when Attestation Conveyance is set to "direct", the client should return an unaltered attestation statement format to the Relying Party.

"direct" or "enterprise" Convey the authenticator's AAGUID and attestation statement, unaltered, to the Relying Party.

Thanks for this report. We have a fix for this upstream in authenticator-rs which we'll merge to Firefox in the 118 cycle.

Assignee: nobody → jschanck
Severity: -- → S3
Status: UNCONFIRMED → ASSIGNED
Type: enhancement → defect
Depends on: 1848172
Ever confirmed: true
Priority: -- → P2
Target Milestone: --- → 118 Branch

The upstream patch landed in Firefox in Bug 1848172.

Status: ASSIGNED → RESOLVED
Closed: 10 months ago
Resolution: --- → FIXED
You need to log in before you can comment on or make changes to this bug.