W3C home > Mailing lists > Public > public-webauthn@w3.org > October 2017

Re: [webauthn] Transaction authorization extensions are registration and authentication extension?

From: Ki-Eun Shin via GitHub <sysbot+gh@w3.org>
Date: Tue, 10 Oct 2017 13:56:54 +0000
To: public-webauthn@w3.org
Message-ID: <issue_comment.created-335480675-1507643799-sysbot+gh@w3.org>
if the RP just needs to show a prompt to the user, RP may use web UI component instead of using those extensions.
The transaction authorization is for RP to ensure that the user is confirming the transaction content.
Thus, if the purpose of transaction authorization is for getting cryptographic proof of user confirmation of the content, the signature for the proof should be generated with user's private key.
If the signature generated with attestation key which is shared across same authenticators(model), the server cannot ensure that the signature is generated by the specific user.

-- 
GitHub Notification of comment by Kieun
Please view or discuss this issue at https://github.com/w3c/webauthn/issues/621#issuecomment-335480675 using your GitHub account
Received on Tuesday, 10 October 2017 13:57:13 UTC

This archive was generated by hypermail 2.4.0 : Tuesday, 5 July 2022 07:26:28 UTC