I just wanted to point out, that my assumption about an existing MiM is taken from the [specification](https://www.w3.org/TR/webauthn/#sctn-no-attestation-security-attestation) - extended by the fact, that the attacker can own an by the RP accepted Authenticator and ,therefore, is able to create a valid AttestationObject using all kinds of AttestationTypes (not just Self or None). -- GitHub Notification of comment by milesstoetzner Please view or discuss this issue at https://github.com/w3c/webauthn/issues/1088#issuecomment-428494643 using your GitHub accountReceived on Wednesday, 10 October 2018 09:01:49 UTC
This archive was generated by hypermail 2.4.0 : Tuesday, 5 July 2022 07:26:35 UTC