W3C home > Mailing lists > Public > public-webauthn@w3.org > September 2017

Re: [webauthn] include public key in result from create()

From: Akshay Kumar via GitHub <sysbot+gh@w3.org>
Date: Sat, 09 Sep 2017 07:00:15 +0000
To: public-webauthn@w3.org
Message-ID: <issue_comment.created-328259414-1504940406-sysbot+gh@w3.org>
Not having publicKey in AuthenticatorAssertionResponse cryptographically ties assertion signature to authenticatorMakeCredential response as you need that public key to verify the assertion signature instead of just credentialID matching. 

IMO, it provides better security as it minimizes RP chance of getting fooled by attacker who uses its own public key in authenticatorGetAssertion response but tries to fool RP by using same credentialID. It also minimizes risk as currently attacker also has to attack the user at credential creation time. 

It also plays well with U2F interop story. 

 Thoughts?

-- 
GitHub Notification of comment by akshayku
Please view or discuss this issue at https://github.com/w3c/webauthn/issues/557#issuecomment-328259414 using your GitHub account
Received on Saturday, 9 September 2017 07:00:22 UTC

This archive was generated by hypermail 2.4.0 : Tuesday, 5 July 2022 07:26:27 UTC