W3C home > Mailing lists > Public > public-webauthn@w3.org > March 2017

[webauthn] Protect against TLS MiTM by including TLS cert chain in signature

From: Alexei Czeskis via GitHub <sysbot+gh@w3.org>
Date: Wed, 29 Mar 2017 20:56:55 +0000
To: public-webauthn@w3.org
Message-ID: <issues.opened-218006761-1490821013-sysbot+gh@w3.org>
leshi has just created a new issue for https://github.com/w3c/webauthn:

== Protect against TLS MiTM by including TLS cert chain in signature ==
While I know token binding can do this as well, this doesn't necessarily require the server (or client) to modify as much of the stack.

The idea is that the client includes the cert chain info in the client data, the token signs over this.  Server can verify that the client saw the expected chain.  If it doesn't, the server may have a bit more info on who's doing a man in the middle than it might otherwise know with token binding.

h/t to Sam Srinivas

Please view or discuss this issue at https://github.com/w3c/webauthn/issues/391 using your GitHub account
Received on Wednesday, 29 March 2017 20:57:01 UTC

This archive was generated by hypermail 2.4.0 : Tuesday, 5 July 2022 07:26:25 UTC