[webauthn] Verify signature first in RP operations? from Emil Lundberg via GitHub on 2018-09-10 (public-webauthn@w3.org from September 2018)

From: Emil Lundberg via GitHub <sysbot+gh@w3.org>
Date: Mon, 10 Sep 2018 14:08:53 +0000
To: public-webauthn@w3.org
Message-ID: <issues.opened-358640603-1536588532-sysbot+gh@w3.org>

emlun has just created a new issue for https://github.com/w3c/webauthn:

== Verify signature first in RP operations? ==
It's good hygiene in cryptographic operations to [verify signatures before doing anything else][doom]. The [RP Operations][rp] currently list verifying the signature as one of the last steps. Should we rearrange the RP Operations steps to verify the signature as early as possible?

Doing this would not break any compatibility since this is all RP implementation details.

[doom]: https://moxie.org/blog/the-cryptographic-doom-principle/
[rp]: https://w3c.github.io/webauthn/#rp-operations

Please view or discuss this issue at https://github.com/w3c/webauthn/issues/1064 using your GitHub account

Received on Monday, 10 September 2018 14:08:55 UTC