Re: [webauthn] Why does WebAuthn require a challenge when asking the client to register a new credential? (#1355) from Emil Lundberg via GitHub on 2021-08-28 (public-webauthn@w3.org from August 2021)

From: Emil Lundberg via GitHub <sysbot+gh@w3.org>
Date: Sat, 28 Aug 2021 13:49:21 +0000
To: public-webauthn@w3.org
Message-ID: <issue_comment.created-907628950-1630158559-sysbot+gh@w3.org>

@marekciupak Correct, if the attestation statement format is `"none"` then the registration response is not signed. Similarly, if the attestation statement format is `"self"` then the registration response is signed by the credential private key - but the corresponding credential public key is conveyed in the same message, so an attacker could easily replace both the public key and the signature (or just replace it with a `"none"` attestation), so the self attestation signature only protects against accidental data corruption but not against intentional manipulation. The challenge does have some value for the other attestation statement formats, though. But in general, WebAuthn credential keys are "trust on first use" - see also [§13.4.4. Attestation Limitations](https://www.w3.org/TR/webauthn-2/#sctn-attestation-limitations).

-- 
GitHub Notification of comment by emlun
Please view or discuss this issue at https://github.com/w3c/webauthn/issues/1355#issuecomment-907628950 using your GitHub account


-- 
Sent via github-notify-ml as configured in https://github.com/w3c/github-notify-ml-config

Received on Saturday, 28 August 2021 13:49:23 UTC