- From: J.C. Jones via GitHub <sysbot+gh@w3.org>
- Date: Thu, 09 Nov 2017 19:47:58 +0000
- To: public-webauthn@w3.org
Re: https://github.com/w3c/webauthn/issues/404#issuecomment-294240502 and https://github.com/w3c/webauthn/issues/404#issuecomment-294236973, let's not hold their hands about how to get the octets from their back-end to WebAuthn. I suggest this compromise: ``` // server generates 32 byte random challenge value, memorizes it for validation of the upcoming // response, and sends it to client as part of the web page running in the user agent, who then // turns it back into a byte array thusly: var challenge = new Uint8Array([21,31,105 /* 29 more random bytes generated by the server */]); ``` And in the Security Considerations section, add: ``` == Challenges == As a cryptographic protocol, Web Authentication is dependent upon randomized challenges to avoid replay attacks. Therefore, the [=challenge=] fields MUST be randomly generated by the [=Relying Party=] in an environment they trust, and the client's responses' challenge fields MUST match what was generated. This should be done in a fashion that does not rely upon a client's behavior; e.g.: the Relying Party should store the challenge temporarily until the operation is complete. Tolerating a mismatch will compromise the security of the protocol. ``` -- GitHub Notification of comment by jcjones Please view or discuss this issue at https://github.com/w3c/webauthn/issues/404#issuecomment-343270564 using your GitHub account
Received on Thursday, 9 November 2017 19:48:01 UTC