How is attestation conveyance preference exposed through libfido2? #679
-
Looking through the libfido2 code, I don't see a means of setting/sending an attestation conveyance preference before calling fido_dev_make_cred(). I also see that under Windows, The translate_fido_cred() function hard codes the dwAttestationConveyancePreference to Direct (though it currently incorrectly sets it to Indirect due to a value error in webauthn.h) Shouldn't this ability be exposed by libfido2? |
Beta Was this translation helpful? Give feedback.
Replies: 1 comment 1 reply
-
libfido2 provides functionality to communicate with a FIDO device over USB or NFC, which is governed by the CTAP specification. With the exception of enterprise attestation, CTAP2.1 does not have a concept of an attestation conveyance preference parameter. Per the WebAuthn specification, if the attestation conveyance preference is The Windows Hello backend is hard-coded to use |
Beta Was this translation helpful? Give feedback.
libfido2 provides functionality to communicate with a FIDO device over USB or NFC, which is governed by the CTAP specification. With the exception of enterprise attestation, CTAP2.1 does not have a concept of an attestation conveyance preference parameter. Per the WebAuthn specification, if the attestation conveyance preference is
none
orindirect
, it is up to the client itself to replace the AAGUID and attestation statement with a more privacy-friendly version before passing along the result to the relying party.The Windows Hello backend is hard-coded to use
"direct"
for it to behave the same way as our other backends.