Re: [webauthn] include public key in result from create()

Not having publicKey in AuthenticatorAssertionResponse cryptographically ties assertion signature to authenticatorMakeCredential response as you need that public key to verify the assertion signature instead of just credentialID matching. 

IMO, it provides better security as it minimizes RP chance of getting fooled by attacker who uses its own public key in authenticatorGetAssertion response but tries to fool RP by using same credentialID. It also minimizes risk as currently attacker also has to attack the user at credential creation time. 

It also plays well with U2F interop story. 

 Thoughts?

-- 
GitHub Notification of comment by akshayku
Please view or discuss this issue at https://github.com/w3c/webauthn/issues/557#issuecomment-328259414 using your GitHub account

Received on Saturday, 9 September 2017 07:00:22 UTC