- From: Adam Langley <agl@google.com>
- Date: Fri, 22 Feb 2019 14:45:00 -0800
- To: Mart Sõmermaa <mart.somermaa@gmail.com>
- Cc: W3C Web Authn WG <public-webauthn@w3.org>
Received on Friday, 22 February 2019 22:45:40 UTC
On Fri, Feb 22, 2019 at 12:44 PM Mart Sõmermaa <mart.somermaa@gmail.com> wrote: > Thanks, that's exactly what I wanted to propose - to use the certificate > fingerprint as an additional input in `clientDataJSON` for protection > against man-in-the-middle attacks that the server-side application later > verifies, this would be similar to TLS Client Certificate Authentication. > > The proposal is here: > > https://gitlab.com/mrts/webauthn-additions/wikis/Mitigation-for-man-in-the-middle-attack-against-WebAuthn-by-a-powerful-attacker > > Yes, this is a significant change in browsers. Do you think it is possible > to propose this to browser working groups? > Would there be a JavaScript API for accessing the verified certificate? > > In case you find the proposal valuable, how to proceed with this? > I believe this is https://github.com/w3c/webauthn/issues/391 Cheers AGL
Received on Friday, 22 February 2019 22:45:40 UTC