Re: [webauthn] Protect against TLS MiTM by including TLS cert chain in signature from =JeffH via GitHub on 2017-05-17 (public-webauthn@w3.org from May 2017)

From: =JeffH via GitHub <sysbot+gh@w3.org>
Date: Wed, 17 May 2017 15:29:00 +0000
To: public-webauthn@w3.org
Message-ID: <issue_comment.created-302127310-1495034939-sysbot+gh@w3.org>

I agree that MITM/replay protection is important but this approach is (not immediately obviously) complex as noted by @agl and implied by @sampaths. Token binding / Channel ID / TLS Channel binding are all _more-or-less_ standardized-and-implemented approaches and I'm thinking we should rely on them at our specification level, and work to usher along implementations as we can. 

-- 
GitHub Notification of comment by equalsJeffH
Please view or discuss this issue at https://github.com/w3c/webauthn/issues/391#issuecomment-302127310 using your GitHub account

Received on Wednesday, 17 May 2017 15:29:07 UTC