W3C home > Mailing lists > Public > public-webauthn@w3.org > September 2016

[webauthn] Credential ID not signed

From: Yaron Sheffer via GitHub <sysbot+gh@w3.org>
Date: Sat, 17 Sep 2016 07:52:42 +0000
To: public-webauthn@w3.org
Message-ID: <issues.opened-177562563-1474098760-sysbot+gh@w3.org>
yaronf has just created a new issue for 
https://github.com/w3c/webauthn:

== Credential ID not signed ==
5.1.2: "The identifier of the credential used to generate the 
signature" is returned to the client, but AFAICT it is not actually 
signed. I'm not sure there's a direct vulnerability because of that, 
but I think including the ID in the signed material is a best 
practice.

@vijaybh: Good point. I do not see an attack either, or at least no 
attack that does not also require the signature scheme to be broken in
 the first place. Interesting discussion point though.

Please view or discuss this issue at 
https://github.com/w3c/webauthn/issues/206 using your GitHub account
Received on Saturday, 17 September 2016 07:53:02 UTC

This archive was generated by hypermail 2.4.0 : Tuesday, 5 July 2022 07:26:22 UTC