- From: =JeffH via GitHub <sysbot+gh@w3.org>
- Date: Fri, 14 Apr 2017 16:55:21 +0000
- To: public-webauthn@w3.org
equalsJeffH has just created a new issue for https://github.com/w3c/webauthn: == explain challenge's security importance and use in both registration and authentication operations == need to expand the explanation of "challenge" in the spec -- challenge is used in both regstn and authn protocol runs and has security implications. It MUST NOT be created on the client-side -- rather, it MUST be randomly created on the server-side with very low probability of collisions, and verified upon receipt back from the client and end of protocol run in order to provide protocol-run round-trip integrity. this needs to be explained in the spec and the code in the examples altered to reflect this -- especially since developers will simply cut'n'paste our examples! :-P Please view or discuss this issue at https://github.com/w3c/webauthn/issues/404 using your GitHub account
Received on Friday, 14 April 2017 16:55:27 UTC