- From: John Bradley via GitHub <sysbot+gh@w3.org>
- Date: Thu, 08 Apr 2021 22:00:02 +0000
- To: public-webauthn@w3.org
You can indirectly sign things bypassing something in as part of the challenge. Given the primary use of the key is for authentication allowing the same key to be used to sign arbitrary data would allow a possible man-in-the-middle attacks if not carefully thought through. We tried to add a KDF extension to WebAuthn in level 2 but there were questions about if that fell inside the working group's charter as that only mentioned authentication. That may come back after our new charter as part of level 3. We did add however add credBlob so a RP could store a 32byte value with a discoverable credential. That could be used to derive a key for signing or encrypting in the browser or RP. -- GitHub Notification of comment by ve7jtb Please view or discuss this issue at https://github.com/w3c/webauthn/issues/1595#issuecomment-816256998 using your GitHub account -- Sent via github-notify-ml as configured in https://github.com/w3c/github-notify-ml-config
Received on Thursday, 8 April 2021 22:00:04 UTC