W3C home > Mailing lists > Public > public-webauthn@w3.org > August 2018

Article: Security Concerns Surrounding WebAuthn

From: Emil Lundberg <emil@yubico.com>
Date: Thu, 23 Aug 2018 12:35:02 +0200
Message-ID: <CANMnvkw5DMEmZv0tFW9e07DcyttSy_t_y9cCMNtm2arHue4aXw@mail.gmail.com>
To: W3C Web Authn WG <public-webauthn@w3.org>
This article was published today, highlighting a number of issues they
identified in WebAuthn:

https://paragonie.com/blog/2018/08/security-concerns-surrounding-webauthn-don-t-implement-ecdaa-yet

As far as I can tell, their main concerns are:

- JOSE implementations are historically error prone
- RSA with PKCS1v1.5 padding
- Many concerns about the security of ECDAA
  - Point compression not allowed
  - Nondeterministic nonces
  - BN curves

/Emil

-- 

Emil Lundberg

Software Developer | Yubico <http://www.yubico.com/>
Received on Thursday, 23 August 2018 10:35:37 UTC

This archive was generated by hypermail 2.4.0 : Friday, 17 January 2020 18:58:54 UTC