W3C home > Mailing lists > Public > public-webauthn@w3.org > December 2017

Re: [webauthn] Fix #720: Don't return user handle in 2nd factor mode

From: Emil Lundberg via GitHub <sysbot+gh@w3.org>
Date: Sun, 24 Dec 2017 22:59:22 +0000
To: public-webauthn@w3.org
Message-ID: <issue_comment.created-353806589-1514156361-sysbot+gh@w3.org>
Wait - actually, the response processing server (ResPS) needs to be able to verify that the returned `challenge` equals that sent to the client, so there needs to be some trusted communication path between the request processing server (ReqPS) and the ResPS so the ResPS can obtain the `challenge` from the ReqPS. Could that message then not also contain the user ID (if known, i.e. in 2nd factor mode)?

-- 
GitHub Notification of comment by emlun
Please view or discuss this issue at https://github.com/w3c/webauthn/pull/730#issuecomment-353806589 using your GitHub account
Received on Sunday, 24 December 2017 22:59:23 UTC

This archive was generated by hypermail 2.4.0 : Tuesday, 5 July 2022 07:26:30 UTC