Re: [webauthn] Adding info about HSTS for the RPID to client Data. (#1554) from John Bradley via GitHub on 2021-02-03 (public-webauthn@w3.org from February 2021)

From: John Bradley via GitHub <sysbot+gh@w3.org>
Date: Wed, 03 Feb 2021 20:47:45 +0000
To: public-webauthn@w3.org
Message-ID: <issue_comment.created-772812311-1612385264-sysbot+gh@w3.org>

I think that some RP will want to be assured that the assertion comes from a browser enforcing "no user recourse".  That seems to be the main ask from NIST around HSTS, we already block JS that is loaded from an insecure origin.   

I think including hashes of all the certs from origins contributing to the request would be more useful in preventing attacks. 

-- 
GitHub Notification of comment by ve7jtb
Please view or discuss this issue at https://github.com/w3c/webauthn/issues/1554#issuecomment-772812311 using your GitHub account


-- 
Sent via github-notify-ml as configured in https://github.com/w3c/github-notify-ml-config

Received on Wednesday, 3 February 2021 20:47:51 UTC