I think that some RP will want to be assured that the assertion comes from a browser enforcing "no user recourse". That seems to be the main ask from NIST around HSTS, we already block JS that is loaded from an insecure origin. I think including hashes of all the certs from origins contributing to the request would be more useful in preventing attacks. -- GitHub Notification of comment by ve7jtb Please view or discuss this issue at https://github.com/w3c/webauthn/issues/1554#issuecomment-772812311 using your GitHub account -- Sent via github-notify-ml as configured in https://github.com/w3c/github-notify-ml-configReceived on Wednesday, 3 February 2021 20:47:51 UTC
This archive was generated by hypermail 2.4.0 : Wednesday, 3 February 2021 20:47:51 UTC