Re: [webauthn] Verify signature first in RP operations?

Moxie's post is about the dangers of mixing secrets with unauthenticated data. Since the RP is verifying public-key operations, it doesn't apply here.

None the less, if we assume that some RPs might miss some of the enumerated checks, having “check the signature” be step 16 of 17 might be a little dangerous. So I wouldn't object to prioritising it if someone wanted to make the PR.

-- 
GitHub Notification of comment by agl
Please view or discuss this issue at https://github.com/w3c/webauthn/issues/1064#issuecomment-420705800 using your GitHub account

Received on Wednesday, 12 September 2018 16:08:21 UTC