[webauthn] Credential ID not signed

yaronf has just created a new issue for 

== Credential ID not signed ==
5.1.2: "The identifier of the credential used to generate the 
signature" is returned to the client, but AFAICT it is not actually 
signed. I'm not sure there's a direct vulnerability because of that, 
but I think including the ID in the signed material is a best 

@vijaybh: Good point. I do not see an attack either, or at least no 
attack that does not also require the signature scheme to be broken in
 the first place. Interesting discussion point though.

Please view or discuss this issue at 
https://github.com/w3c/webauthn/issues/206 using your GitHub account

Received on Saturday, 17 September 2016 07:53:02 UTC