|
|
|
|
|
|
by tialaramex
2183 days ago
|
|
|
It doesn't reveal "the unique private key" that would be crazy, the revealed key is a public key. And mostly sites should not ask for attestation and users should refuse to grant it if asked (Firefox asks, you can just say "No" but I'd be comfortable with clients just always saying "No" on my behalf instead) There are already designs if you are quite sure you must have attestation and yet you don't want device identification. You can do blinded attestation and agl has written up a much fancier approach on his blog too. But again, Don't Ask, Don't Tell. The video shows this silly demo "Shiny picture" site asking for attestation and that's a bad idea you should not replicate, write "none" instead of "direct" and then the problem goes away for your site. |
|
|