Re: [webauthn] Transaction authorization extensions are registration and authentication extension? from Ki-Eun Shin via GitHub on 2017-10-10 (public-webauthn@w3.org from October 2017)

From: Ki-Eun Shin via GitHub <sysbot+gh@w3.org>
Date: Tue, 10 Oct 2017 13:56:54 +0000
To: public-webauthn@w3.org
Message-ID: <issue_comment.created-335480675-1507643799-sysbot+gh@w3.org>

if the RP just needs to show a prompt to the user, RP may use web UI component instead of using those extensions.
The transaction authorization is for RP to ensure that the user is confirming the transaction content.
Thus, if the purpose of transaction authorization is for getting cryptographic proof of user confirmation of the content, the signature for the proof should be generated with user's private key.
If the signature generated with attestation key which is shared across same authenticators(model), the server cannot ensure that the signature is generated by the specific user.

-- 
GitHub Notification of comment by Kieun
Please view or discuss this issue at https://github.com/w3c/webauthn/issues/621#issuecomment-335480675 using your GitHub account

Received on Tuesday, 10 October 2017 13:57:13 UTC