Re: [webauthn] Protect against TLS MiTM by including TLS cert chain in signature from Sam Srinivas via GitHub on 2017-04-05 (public-webauthn@w3.org from April 2017)

From: Sam Srinivas via GitHub <sysbot+gh@w3.org>
Date: Wed, 05 Apr 2017 17:44:52 +0000
To: public-webauthn@w3.org
Message-ID: <issue_comment.created-291940507-1491414291-sysbot+gh@w3.org>

We should allow for the ability to choose what part of the cert chain should be included. A typical large entity, say www.bigcompany.com would have a TLS terminating front end in a CDN which may be using multiple valid www.bigcompany.com certs across instances of the front end. 

The backend server doing the webauth validation would not know which particular cert is being used -- but it will know something about the cert chain which is shared across all valid certs for Bigcompany.com  -- for eg, the intermediate CA etc. If we include just that part of the cert chain which is common across all www.bigcompany.com certs then the purpose is served. 

We should think about API options where the server can specify what parts of the chain it wants inside the signed object.

-- 
GitHub Notification of comment by sampaths
Please view or discuss this issue at https://github.com/w3c/webauthn/issues/391#issuecomment-291940507 using your GitHub account

Received on Wednesday, 5 April 2017 17:44:58 UTC