> The attacker doesn't need to change the `clientDataJSON`, but would have to be able to control the generated credential ID in order for the signed `attestationObject.authData.attestedCredentialData.credentialId` to agree with the `PublicKeyCredential.rawId`. This only holds true, if the attacker wants to register the same `credentialId` as generated by the user - but he doesn't have to. Since he can replace `PublicKeyCredential.response`, he can also replace `PublicKeyCredential.rawId`. -- GitHub Notification of comment by milesstoetzner Please view or discuss this issue at https://github.com/w3c/webauthn/issues/1088#issuecomment-428539313 using your GitHub accountReceived on Wednesday, 10 October 2018 11:38:35 UTC
This archive was generated by hypermail 2.4.0 : Tuesday, 5 July 2022 07:26:35 UTC