Re: [webauthn] What is the difference between origin verification at client and RP end? (#1434)

It's a defense in depth and good security hygiene. It would help a bit in case a faulty authenticator reuses the same private key and credential ID across RPs, but I think you're right that it's not strictly necessary if both client and authenticator are compliant - if the client is malicious, a phishing site can forge the RP ID anyway, and if the client is benevolent, any valid signature from a phishing site will have been made with the wrong private key.

GitHub Notification of comment by emlun
Please view or discuss this issue at using your GitHub account

Received on Thursday, 4 June 2020 18:21:48 UTC