It's a defense in depth and good security hygiene. It would help a bit in case a faulty authenticator reuses the same private key and credential ID across RPs, but I think you're right that it's not strictly necessary if both client and authenticator are compliant - if the client is malicious, a phishing site can forge the RP ID anyway, and if the client is benevolent, any valid signature from a phishing site will have been made with the wrong private key. -- GitHub Notification of comment by emlun Please view or discuss this issue at https://github.com/w3c/webauthn/issues/1434#issuecomment-639024146 using your GitHub accountReceived on Thursday, 4 June 2020 18:21:48 UTC
This archive was generated by hypermail 2.4.0 : Tuesday, 5 July 2022 07:26:40 UTC