28Şub
Suggestions for implementing a simplified subset of WebAuthn Relaying Party Operation
Previously some good fellow explained the importance of verifying the public key created and offered by authenticators.
As before, given the complexity of a FULL implementation of RP operation, I believe it's possible that some aspect may be mis-implemented for someone doesn't fully understand the spec (e.g. having to implement ECDAA to verify some attestation formats).
So Q1: Is it reasonable to implement just a subset of WebAuthn relaying party operation? E.g. accepting only "self" attestation and "none" attestation format so that the public key can be used to verify itself, without having to trace a trust anchor in the x5c array structure? Q2: Is there a "mandatory" attestation statement format and optional ones?