Re: [webauthn] Leap of Faith not only for Self and None Attestation Types from milesstoetzner via GitHub on 2018-10-10 (public-webauthn@w3.org from October 2018)

From: milesstoetzner via GitHub <sysbot+gh@w3.org>
Date: Wed, 10 Oct 2018 09:01:42 +0000
To: public-webauthn@w3.org
Message-ID: <issue_comment.created-428494643-1539162101-sysbot+gh@w3.org>

I just wanted to point out, that my assumption about an existing MiM is taken from the [specification](https://www.w3.org/TR/webauthn/#sctn-no-attestation-security-attestation) - extended by the fact, that the attacker can own an by the RP accepted Authenticator and ,therefore, is able to create a valid AttestationObject using all kinds of AttestationTypes (not just Self or None).

-- 
GitHub Notification of comment by milesstoetzner
Please view or discuss this issue at https://github.com/w3c/webauthn/issues/1088#issuecomment-428494643 using your GitHub account

Received on Wednesday, 10 October 2018 09:01:49 UTC