Re: [webauthn] Transaction authorization extensions are registration and authentication extension? from Emil Lundberg via GitHub on 2017-10-10 (public-webauthn@w3.org from October 2017)

From: Emil Lundberg via GitHub <sysbot+gh@w3.org>
Date: Tue, 10 Oct 2017 14:43:57 +0000
To: public-webauthn@w3.org
Message-ID: <issue_comment.created-335496117-1507646622-sysbot+gh@w3.org>

Ah yes, that is true. However at registration time the RP does not yet trust the user's private key, only the attestation key, so no security would be gained by also signing with the user's private key.

I agree it raises the question of whether there's still a point in allowing the extensions for registration, but I think there is. Even if it's impossible to verify authorization by any particular user at this point, it still verifies authorization by whoever the new user is - unless the client controls a trusted attestation key, of course.

-- 
GitHub Notification of comment by emlun
Please view or discuss this issue at https://github.com/w3c/webauthn/issues/621#issuecomment-335496117 using your GitHub account

Received on Tuesday, 10 October 2017 14:43:46 UTC