W3C home > Mailing lists > Public > public-webauthn@w3.org > December 2019

[webauthn] Why does WebAuthn require a challenge when asking the client to register a new credential? (#1355)

From: Johnny via GitHub <sysbot+gh@w3.org>
Date: Tue, 17 Dec 2019 01:12:49 +0000
To: public-webauthn@w3.org
Message-ID: <issues.opened-538774706-1576545168-sysbot+gh@w3.org>
johnnyodonnell has just created a new issue for https://github.com/w3c/webauthn:

== Why does WebAuthn require a challenge when asking the client to register a new credential? ==
When [registering a new credential](https://w3c.github.io/webauthn/#sctn-registering-a-new-credential), why does the client need to be sent a [challenge](https://w3c.github.io/webauthn/#dom-publickeycredentialcreationoptions-challenge)?

Presumably this is to prevent a replay attack, but wouldn't a replay attack be prevented by TLS already?

Please view or discuss this issue at https://github.com/w3c/webauthn/issues/1355 using your GitHub account
Received on Tuesday, 17 December 2019 01:12:51 UTC

This archive was generated by hypermail 2.4.0 : Friday, 17 January 2020 18:59:09 UTC