Re: [webauthn] Q: Regarding Security Concerns Surrounding WebAuthn: Don't Implement ECDAA (Yet) (#1196)

Per discussion on the WG call:

I think this is yet another argument that WebAuthn WG needs to produce, minimally, an explainer document as to (as an incomplete list of examples) 
1) thorny bits of how the JS API works, 
2) challenge hygiene,
3) migration from FIDO U2F JS API,
4) risk-assessment-grounded choices about attestation types (whether to demand Direct, whether to prohibit None)
5) algorithm selection

(See: #1231, #91,

The previous efforts on this were closed as not being a deliverable of the WG. However, perhaps we should just start collecting the data in this wiki:

So let's take it there and start collecting. Per the above though, I am closing this issue.

GitHub Notification of comment by jcjones
Please view or discuss this issue at using your GitHub account

Received on Wednesday, 12 June 2019 20:02:31 UTC