[webauthn] explain challenge's security importance and use in both registration and authentication operations from =JeffH via GitHub on 2017-04-14 (public-webauthn@w3.org from April 2017)

From: =JeffH via GitHub <sysbot+gh@w3.org>
Date: Fri, 14 Apr 2017 16:55:21 +0000
To: public-webauthn@w3.org
Message-ID: <issues.opened-221846738-1492188920-sysbot+gh@w3.org>

equalsJeffH has just created a new issue for https://github.com/w3c/webauthn:

== explain challenge's security importance and use in both registration and authentication operations ==
need to expand the explanation of "challenge" in the spec -- challenge is used in both regstn and authn protocol runs and has security implications.   It MUST NOT be created on the client-side -- rather, it MUST be randomly created on the server-side with very low probability of collisions, and verified upon receipt back from the client and end of protocol run in order to provide protocol-run round-trip integrity. this needs to be explained in the spec and the code in the examples altered to reflect this -- especially since developers will simply cut'n'paste our examples!  :-P

Please view or discuss this issue at https://github.com/w3c/webauthn/issues/404 using your GitHub account

Received on Friday, 14 April 2017 16:55:27 UTC