Skip to content

Commit

Permalink
Merge branch 'update-aaguid-def' into update-aaguid-def-retain-authda…
Browse files Browse the repository at this point in the history
…ta-def
  • Loading branch information
emlun committed Oct 5, 2023
2 parents d36a4dd + 89bee48 commit 4fd5ec1
Showing 1 changed file with 6 additions and 6 deletions.
12 changes: 6 additions & 6 deletions index.bs
Original file line number Diff line number Diff line change
Expand Up @@ -4093,12 +4093,12 @@ considered more trustworthy than the rest of the authenticator.
Each authenticator stores a <dfn for=authenticator>credentials map</dfn>, a [=map=] from ([=rpId=], [=public key credential source/userHandle=]) to
[=public key credential source=].

Additionally, each authenticator has an Authenticator Attestation GUID or <dfn>AAGUID</dfn>, which is a 128-bit identifier indicating the type (e.g. make and model) of the
authenticator. The AAGUID MUST be chosen by its maker to be identical across all substantially identical authenticators made by that maker, and
different (with high probability) from the AAGUIDs of all other types of authenticators. The AAGUID for a given type of authenticator SHOULD be
randomly generated to ensure this. The [=[RP]=] MAY use the AAGUID to infer certain properties of the authenticator, such as certification level
and strength of key protection, using information from other sources. The [=[RP]=] MAY use the AAGUID to attempt to identify the maker of the authenticator
without performing [=attestation=], but would be unable to trust that inference unless [=attestation=] is performed.
Additionally, each authenticator has an Authenticator Attestation Globally Unique Identifier or <dfn>AAGUID</dfn>, which is a 128-bit identifier
indicating the type (e.g. make and model) of the authenticator. The AAGUID MUST be chosen by its maker to be identical across all substantially identical
authenticators made by that maker, and different (with high probability) from the AAGUIDs of all other types of authenticators. The AAGUID for a given type
of authenticator SHOULD be randomly generated to ensure this. The [=[RP]=] MAY use the AAGUID to infer certain properties of the authenticator, such as
certification level and strength of key protection, using information from other sources. The [=[RP]=] MAY use the AAGUID to attempt to identify the maker of
the authenticator without requesting and verifying [=attestation=], but the AAGUID is not provably authentic without [=attestation=].

The primary function of the authenticator is to provide [=WebAuthn signatures=], which are bound to various contextual data. These
data are observed and added at different levels of the stack as a signature request passes from the server to the
Expand Down

0 comments on commit 4fd5ec1

Please sign in to comment.