Re: [webauthn] Adding info about HSTS for the RPID to client Data. (#1554)

I think that some RP will want to be assured that the assertion comes from a browser enforcing "no user recourse".  That seems to be the main ask from NIST around HSTS, we already block JS that is loaded from an insecure origin.   

I think including hashes of all the certs from origins contributing to the request would be more useful in preventing attacks. 

GitHub Notification of comment by ve7jtb
Please view or discuss this issue at using your GitHub account

Sent via github-notify-ml as configured in

Received on Wednesday, 3 February 2021 20:47:51 UTC