W3C home > Mailing lists > Public > public-webauthn@w3.org > October 2019

Re: [webauthn] Add to sec cons a brief discussion of the sec properties accrued by authnr & client platform proximity (#1257)

From: =JeffH via GitHub <sysbot+gh@w3.org>
Date: Wed, 23 Oct 2019 17:08:42 +0000
To: public-webauthn@w3.org
Message-ID: <issue_comment.created-545543512-1571850521-sysbot+gh@w3.org>
@emlun's analysis of the phishability of the architecture outlined in his https://github.com/w3c/webauthn/issues/1257#issuecomment-510486375 seems overall correct (on quick skim)

The original thrust of this issue is "authnr & client platform proximity" which is a not-so-clear way to say "authnr & client secure channel establishment via a non-MITM-able non-evesdropable channel, e.g., one requiring physical proximity, eg the authnr scanning a local-client-displayed QR code containing iniital key seeds/shares, or, the client and authnr communicating over physical USB connection (and sharing keys), or over NFC (and sharing keys)."   I.e., this is how caBLE's handshake's security guarantees are established.

GitHub Notification of comment by equalsJeffH
Please view or discuss this issue at https://github.com/w3c/webauthn/issues/1257#issuecomment-545543512 using your GitHub account
Received on Wednesday, 23 October 2019 17:08:44 UTC

This archive was generated by hypermail 2.4.0 : Friday, 17 January 2020 18:59:07 UTC