- From: Rolf Lindemann via GitHub <sysbot+gh@w3.org>
- Date: Wed, 14 Sep 2016 09:53:16 +0000
- To: public-webauthn@w3.org
Regarding Step 6 in Verifying an Attestation Statement: If the authenticatorData in the attestation statement is controlled by the calling App, it doesn't make sense (from a security perspective) to verify the rpId hash include in authenticatorData to the one in clientData. In this case, the rpId would have to be included in the statement (i.e. level1Data). -- GitHub Notification of comment by rlin1 Please view or discuss this issue at https://github.com/w3c/webauthn/pull/161#issuecomment-246962772 using your GitHub account
Received on Wednesday, 14 September 2016 09:53:24 UTC