- From: Emil Lundberg via GitHub <sysbot+gh@w3.org>
- Date: Tue, 10 Oct 2017 14:43:57 +0000
- To: public-webauthn@w3.org
Ah yes, that is true. However at registration time the RP does not yet trust the user's private key, only the attestation key, so no security would be gained by also signing with the user's private key. I agree it raises the question of whether there's still a point in allowing the extensions for registration, but I think there is. Even if it's impossible to verify authorization by any particular user at this point, it still verifies authorization by whoever the new user is - unless the client controls a trusted attestation key, of course. -- GitHub Notification of comment by emlun Please view or discuss this issue at https://github.com/w3c/webauthn/issues/621#issuecomment-335496117 using your GitHub account
Received on Tuesday, 10 October 2017 14:43:46 UTC