Re: [webauthn] Make packed attestation format Privacy CA-friendly from John Bradley via GitHub on 2017-10-05 (public-webauthn@w3.org from October 2017)

From: John Bradley via GitHub <sysbot+gh@w3.org>
Date: Thu, 05 Oct 2017 00:59:09 +0000
To: public-webauthn@w3.org
Message-ID: <issue_comment.created-334330569-1507165135-sysbot+gh@w3.org>

Good point.   That method of blinding won't work. 

That leaves us with needing to change the attestation from the Authenticator to support this.  

What are the security implications of leaving a audiance out of the attestation.  Is there anything else that is currently passed to the Authenticator that could also be used as an audiance?

The format returned needs to work both directly and with a privacy CA or whatever it is called or it will require opening up CTAP just when we thought that we were done.  

-- 
GitHub Notification of comment by ve7jtb
Please view or discuss this issue at https://github.com/w3c/webauthn/issues/584#issuecomment-334330569 using your GitHub account

Received on Thursday, 5 October 2017 00:58:58 UTC