W3C home > Mailing lists > Public > public-webauthn@w3.org > October 2017

Re: [webauthn] Transaction authorization extensions are registration and authentication extension?

From: Emil Lundberg via GitHub <sysbot+gh@w3.org>
Date: Tue, 10 Oct 2017 14:43:57 +0000
To: public-webauthn@w3.org
Message-ID: <issue_comment.created-335496117-1507646622-sysbot+gh@w3.org>
Ah yes, that is true. However at registration time the RP does not yet trust the user's private key, only the attestation key, so no security would be gained by also signing with the user's private key.

I agree it raises the question of whether there's still a point in allowing the extensions for registration, but I think there is. Even if it's impossible to verify authorization by any particular user at this point, it still verifies authorization by whoever the new user is - unless the client controls a trusted attestation key, of course.

-- 
GitHub Notification of comment by emlun
Please view or discuss this issue at https://github.com/w3c/webauthn/issues/621#issuecomment-335496117 using your GitHub account
Received on Tuesday, 10 October 2017 14:43:46 UTC

This archive was generated by hypermail 2.4.0 : Tuesday, 5 July 2022 07:26:28 UTC