[woodruffw]

WebAuthn doesn’t require the RP to enforce any particular hardware attestation, and many sites (the overwhelmingly majority?) allow anonymous attestation, self-attestation, or simply no attestation at all.

Having hard-to-extract device keys isn’t “DIY hostile”; it’s critical to the attestation security model. If you want to build your own WebAuthn authenticator, then you can either form your attestation root (there’s no “blessed” vendor list that I know of) or simply ignore that part of the spec.

[no_time]

I am aware how attestation works and what problem it addresses. But I strongly believe the power imbalance it creates outweighs the benefits.

Especially with bullshit like CF using it as a captcha substitute. https://blog.cloudflare.com/introducing-cryptographic-attest...

[woodruffw]

I happen to agree that this is a bad use of attestation (as well as a pointless one, since it’s cheaper and easier for a click farm to do attestation with a bunch of yubikeys than to contact out CAPTCHA solves).

However, I don’t really think it’s an indictment of either WebAuthn or attestation more generally: as pointed out, most public services do not (and probably will never) require attestation. The winds are against it more generally: non-attestation flows are easier to implement, and WebAuthn adoption is increasingly driven by authenticators that don’t necessarily offer useful attestations (e.g. on-device and virtual tokens). Most future users of WebAuthn won’t have physical keys of the sort that Cloudflare’s scheme will require.

[adql]

This fucking article.

CF, WHICH IS THE FUCKING SOURCE OF THIS PROBLEM, complains about the problem

[mooreds]

The FIDO alliance offers up a JWT with attestation data: https://fidoalliance.org/metadata/

But I agree, I don't think there's any enforcement mechanism beyond whatever the RP decide.