Re: [webauthn] Make attestation more modular

Regarding Step 6 in Verifying an Attestation Statement:
If the authenticatorData in the attestation statement is controlled by
 the calling App, it doesn't make sense (from a security perspective) 
to verify the rpId hash include in authenticatorData to the one in 
In this case, the rpId would have to be included in the statement 
(i.e. level1Data).

GitHub Notification of comment by rlin1
Please view or discuss this issue at using 
your GitHub account

Received on Wednesday, 14 September 2016 09:53:24 UTC