W3C home > Mailing lists > Public > public-webauthn@w3.org > September 2016

Re: [webauthn] Make attestation more modular

From: Rolf Lindemann via GitHub <sysbot+gh@w3.org>
Date: Wed, 14 Sep 2016 09:53:16 +0000
To: public-webauthn@w3.org
Message-ID: <issue_comment.created-246962772-1473846794-sysbot+gh@w3.org>
Regarding Step 6 in Verifying an Attestation Statement:
If the authenticatorData in the attestation statement is controlled by
 the calling App, it doesn't make sense (from a security perspective) 
to verify the rpId hash include in authenticatorData to the one in 
clientData.
In this case, the rpId would have to be included in the statement 
(i.e. level1Data).

-- 
GitHub Notification of comment by rlin1
Please view or discuss this issue at 
https://github.com/w3c/webauthn/pull/161#issuecomment-246962772 using 
your GitHub account
Received on Wednesday, 14 September 2016 09:53:24 UTC

This archive was generated by hypermail 2.4.0 : Tuesday, 5 July 2022 07:26:22 UTC