Re: [webauthn] Transaction authorization extensions are registration and authentication extension? from Akshay Kumar via GitHub on 2018-07-18 (public-webauthn@w3.org from July 2018)

From: Akshay Kumar via GitHub <sysbot+gh@w3.org>
Date: Wed, 18 Jul 2018 17:10:38 +0000
To: public-webauthn@w3.org
Message-ID: <issue_comment.created-406006147-1531933837-sysbot+gh@w3.org>

I see a value of this extension being present during MakeCredential. 

Signature signed by the authenticator will show that this extension was being used or not. If RP can accept the key creation itself by trusting the signature by attestation certificate, I don't know why this extension being present is not considered secure especially with a fact that nonce is also being signed. 

So even if it is signed by attestation certificate, nonce gives that binding if RP is so concerned.

I would close this issue as I don't see the problem here.

-- 
GitHub Notification of comment by akshayku
Please view or discuss this issue at https://github.com/w3c/webauthn/issues/621#issuecomment-406006147 using your GitHub account

Received on Wednesday, 18 July 2018 17:10:40 UTC