W3C home > Mailing lists > Public > public-webauthn@w3.org > October 2018

Re: [webauthn] Leap of Faith not only for Self and None Attestation Types

From: milesstoetzner via GitHub <sysbot+gh@w3.org>
Date: Wed, 10 Oct 2018 11:38:34 +0000
To: public-webauthn@w3.org
Message-ID: <issue_comment.created-428539313-1539171513-sysbot+gh@w3.org>
> The attacker doesn't need to change the `clientDataJSON`, but would have to be able to control the generated credential ID in order for the signed `attestationObject.authData.attestedCredentialData.credentialId` to agree with the `PublicKeyCredential.rawId`.

This only holds true, if the attacker wants to register the same `credentialId` as generated by the user - but he doesn't have to. Since he can replace `PublicKeyCredential.response`, he can also replace `PublicKeyCredential.rawId`.



-- 
GitHub Notification of comment by milesstoetzner
Please view or discuss this issue at https://github.com/w3c/webauthn/issues/1088#issuecomment-428539313 using your GitHub account
Received on Wednesday, 10 October 2018 11:38:35 UTC

This archive was generated by hypermail 2.4.0 : Tuesday, 5 July 2022 07:26:35 UTC