[webauthn] Credential ID not signed from Yaron Sheffer via GitHub on 2016-09-17 (public-webauthn@w3.org from September 2016)

From: Yaron Sheffer via GitHub <sysbot+gh@w3.org>
Date: Sat, 17 Sep 2016 07:52:42 +0000
To: public-webauthn@w3.org
Message-ID: <issues.opened-177562563-1474098760-sysbot+gh@w3.org>

yaronf has just created a new issue for 
https://github.com/w3c/webauthn:

== Credential ID not signed ==
5.1.2: "The identifier of the credential used to generate the 
signature" is returned to the client, but AFAICT it is not actually 
signed. I'm not sure there's a direct vulnerability because of that, 
but I think including the ID in the signed material is a best 
practice.

@vijaybh: Good point. I do not see an attack either, or at least no 
attack that does not also require the signature scheme to be broken in
 the first place. Interesting discussion point though.

Please view or discuss this issue at 
https://github.com/w3c/webauthn/issues/206 using your GitHub account

Received on Saturday, 17 September 2016 07:53:02 UTC