W3C home > Mailing lists > Public > public-webauthn@w3.org > June 2020

Re: [webauthn] What is the difference between origin verification at client and RP end? (#1434)

From: Emil Lundberg via GitHub <sysbot+gh@w3.org>
Date: Thu, 04 Jun 2020 18:21:47 +0000
To: public-webauthn@w3.org
Message-ID: <issue_comment.created-639024146-1591294906-sysbot+gh@w3.org>
It's a defense in depth and good security hygiene. It would help a bit in case a faulty authenticator reuses the same private key and credential ID across RPs, but I think you're right that it's not strictly necessary if both client and authenticator are compliant - if the client is malicious, a phishing site can forge the RP ID anyway, and if the client is benevolent, any valid signature from a phishing site will have been made with the wrong private key.

GitHub Notification of comment by emlun
Please view or discuss this issue at https://github.com/w3c/webauthn/issues/1434#issuecomment-639024146 using your GitHub account
Received on Thursday, 4 June 2020 18:21:48 UTC

This archive was generated by hypermail 2.4.0 : Tuesday, 5 July 2022 07:26:40 UTC