Re: [webauthn] Leap of Faith not only for Self and None Attestation Types from milesstoetzner via GitHub on 2018-10-10 (public-webauthn@w3.org from October 2018)

From: milesstoetzner via GitHub <sysbot+gh@w3.org>
Date: Wed, 10 Oct 2018 11:38:34 +0000
To: public-webauthn@w3.org
Message-ID: <issue_comment.created-428539313-1539171513-sysbot+gh@w3.org>

> The attacker doesn't need to change the `clientDataJSON`, but would have to be able to control the generated credential ID in order for the signed `attestationObject.authData.attestedCredentialData.credentialId` to agree with the `PublicKeyCredential.rawId`.

This only holds true, if the attacker wants to register the same `credentialId` as generated by the user - but he doesn't have to. Since he can replace `PublicKeyCredential.response`, he can also replace `PublicKeyCredential.rawId`.



-- 
GitHub Notification of comment by milesstoetzner
Please view or discuss this issue at https://github.com/w3c/webauthn/issues/1088#issuecomment-428539313 using your GitHub account

Received on Wednesday, 10 October 2018 11:38:35 UTC