How is attestation conveyance preference exposed through libfido2? #679
-
|
Looking through the libfido2 code, I don't see a means of setting/sending an attestation conveyance preference before calling fido_dev_make_cred(). I also see that under Windows, The translate_fido_cred() function hard codes the dwAttestationConveyancePreference to Direct (though it currently incorrectly sets it to Indirect due to a value error in webauthn.h) Shouldn't this ability be exposed by libfido2? |
Beta Was this translation helpful? Give feedback.
Replies: 1 comment 1 reply
-
|
libfido2 provides functionality to communicate with a FIDO device over USB or NFC, which is governed by the CTAP specification. With the exception of enterprise attestation, CTAP2.1 does not have a concept of an attestation conveyance preference parameter. Per the WebAuthn specification, if the attestation conveyance preference is The Windows Hello backend is hard-coded to use |
Beta Was this translation helpful? Give feedback.
-
|
Thank you. I was unaware that attestations direct/indirect where a function of the client. Looking at the chromium source I should be able to get a better understanding of how this is handled. |
Beta Was this translation helpful? Give feedback.
libfido2 provides functionality to communicate with a FIDO device over USB or NFC, which is governed by the CTAP specification. With the exception of enterprise attestation, CTAP2.1 does not have a concept of an attestation conveyance preference parameter. Per the WebAuthn specification, if the attestation conveyance preference is
noneorindirect, it is up to the client itself to replace the AAGUID and attestation statement with a more privacy-friendly version before passing along the result to the relying party.The Windows Hello backend is hard-coded to use
"direct"for it to behave the same way as our other backends.