leshi has just created a new issue for https://github.com/w3c/webauthn: == Protect against TLS MiTM by including TLS cert chain in signature == While I know token binding can do this as well, this doesn't necessarily require the server (or client) to modify as much of the stack. The idea is that the client includes the cert chain info in the client data, the token signs over this. Server can verify that the client saw the expected chain. If it doesn't, the server may have a bit more info on who's doing a man in the middle than it might otherwise know with token binding. h/t to Sam Srinivas Please view or discuss this issue at https://github.com/w3c/webauthn/issues/391 using your GitHub accountReceived on Wednesday, 29 March 2017 20:57:01 UTC
This archive was generated by hypermail 2.4.0 : Tuesday, 5 July 2022 07:26:25 UTC