Re: [webauthn] What is the difference between origin verification at client and RP end? (#1434) from Emil Lundberg via GitHub on 2020-06-04 (public-webauthn@w3.org from June 2020)

From: Emil Lundberg via GitHub <sysbot+gh@w3.org>
Date: Thu, 04 Jun 2020 18:21:47 +0000
To: public-webauthn@w3.org
Message-ID: <issue_comment.created-639024146-1591294906-sysbot+gh@w3.org>

It's a defense in depth and good security hygiene. It would help a bit in case a faulty authenticator reuses the same private key and credential ID across RPs, but I think you're right that it's not strictly necessary if both client and authenticator are compliant - if the client is malicious, a phishing site can forge the RP ID anyway, and if the client is benevolent, any valid signature from a phishing site will have been made with the wrong private key.

-- 
GitHub Notification of comment by emlun
Please view or discuss this issue at https://github.com/w3c/webauthn/issues/1434#issuecomment-639024146 using your GitHub account

Received on Thursday, 4 June 2020 18:21:48 UTC