leshi has just created a new issue for https://github.com/w3c/webauthn: == Obfuscate Safetynet nonce == The current signing procedure for the Safetynet attestation states: > Let authenticatorData denote the authenticator data for the attestation, and let clientDataHash denote the hash of the serialized client data. > > Concatenate authenticatorData and clientDataHash to form attToBeSigned. > > Request a SafetyNet attestation, providing attToBeSigned as the nonce value. This has the product of sending unnecessary data to the Safetynet servers. For example, ```rpIdHash``` would be easy to brute-force. Instead, we should be sending the hash of ```attToBeSigned.``` Please view or discuss this issue at https://github.com/w3c/webauthn/issues/868 using your GitHub accountReceived on Thursday, 12 April 2018 21:36:43 UTC
This archive was generated by hypermail 2.4.0 : Tuesday, 5 July 2022 07:26:32 UTC