Re: [webauthn] Cross origin authentication without iframes (#1667)

I'll let Stephen respond to Akshay's question. But, before that, two notes/questions:

1. Today, WebAuthn _can_ be used (at least for Get operations) in iFrames. And, as far as I know, up until this point, we were fine with it. There's nothing an RP can do to prevent (and I also don't think they need to be able to do that). It has no impact on either security or privacy from my perspective. Any disagreements on that?

2. Anders, though you're correct in saying that _untrusted merchants_ will get to deal with credentialIds, I don't think that's a problem for the security of our implementation. Like public keys, they're not supposed to be secret, although there is an argument here about linkability (privacy), since we're already dealing with card numbers I think that's okay? In other words, SPC's security model does _not_ depend on the integrity of untrusted merchants.

-- 
GitHub Notification of comment by christiaanbrand
Please view or discuss this issue at https://github.com/w3c/webauthn/issues/1667#issuecomment-908471233 using your GitHub account


-- 
Sent via github-notify-ml as configured in https://github.com/w3c/github-notify-ml-config

Received on Monday, 30 August 2021 16:08:00 UTC