Re: [webauthn] Add to sec cons a brief discussion of the sec properties accrued by authnr & client platform proximity (#1257) from =JeffH via GitHub on 2019-10-23 (public-webauthn@w3.org from October 2019)

From: =JeffH via GitHub <sysbot+gh@w3.org>
Date: Wed, 23 Oct 2019 17:08:42 +0000
To: public-webauthn@w3.org
Message-ID: <issue_comment.created-545543512-1571850521-sysbot+gh@w3.org>

@emlun's analysis of the phishability of the architecture outlined in his https://github.com/w3c/webauthn/issues/1257#issuecomment-510486375 seems overall correct (on quick skim)

The original thrust of this issue is "authnr & client platform proximity" which is a not-so-clear way to say "authnr & client secure channel establishment via a non-MITM-able non-evesdropable channel, e.g., one requiring physical proximity, eg the authnr scanning a local-client-displayed QR code containing iniital key seeds/shares, or, the client and authnr communicating over physical USB connection (and sharing keys), or over NFC (and sharing keys)."   I.e., this is how caBLE's handshake's security guarantees are established.



-- 
GitHub Notification of comment by equalsJeffH
Please view or discuss this issue at https://github.com/w3c/webauthn/issues/1257#issuecomment-545543512 using your GitHub account

Received on Wednesday, 23 October 2019 17:08:44 UTC