W3C home > Mailing lists > Public > public-webauthn@w3.org > September 2018

[webauthn] Verify signature first in RP operations?

From: Emil Lundberg via GitHub <sysbot+gh@w3.org>
Date: Mon, 10 Sep 2018 14:08:53 +0000
To: public-webauthn@w3.org
Message-ID: <issues.opened-358640603-1536588532-sysbot+gh@w3.org>
emlun has just created a new issue for https://github.com/w3c/webauthn:

== Verify signature first in RP operations? ==
It's good hygiene in cryptographic operations to [verify signatures before doing anything else][doom]. The [RP Operations][rp] currently list verifying the signature as one of the last steps. Should we rearrange the RP Operations steps to verify the signature as early as possible?

Doing this would not break any compatibility since this is all RP implementation details.

[doom]: https://moxie.org/blog/the-cryptographic-doom-principle/
[rp]: https://w3c.github.io/webauthn/#rp-operations

Please view or discuss this issue at https://github.com/w3c/webauthn/issues/1064 using your GitHub account
Received on Monday, 10 September 2018 14:08:55 UTC

This archive was generated by hypermail 2.4.0 : Friday, 17 January 2020 18:58:55 UTC