W3C home > Mailing lists > Public > public-webauthn@w3.org > October 2017

Re: [webauthn] credentials.get() should have optional parameters for userVerification and userPresence

From: Emil Lundberg via GitHub <sysbot+gh@w3.org>
Date: Wed, 11 Oct 2017 21:02:36 +0000
To: public-webauthn@w3.org
Message-ID: <issue_comment.created-335947404-1507755741-sysbot+gh@w3.org>
The authenticator signs over the user presence and user verification flags, so it won't be possible to assert later that a silent signature was made with user consent. But the RP does need to take care to actually verify those flags (or store the signature), so that should probably be added to [ยง6.2. Verifying an authentication assertion][verify].

What would be the use case for silent signatures? I suppose they can't do much harm assuming the RP is trusted, but could XSS/XSRF attacks make it an issue?

[verify]: https://w3c.github.io/webauthn/#verifying-assertion

-- 
GitHub Notification of comment by emlun
Please view or discuss this issue at https://github.com/w3c/webauthn/issues/629#issuecomment-335947404 using your GitHub account
Received on Wednesday, 11 October 2017 21:02:24 UTC

This archive was generated by hypermail 2.4.0 : Tuesday, 5 July 2022 07:26:28 UTC