[webauthn] Adding info about HSTS for the RPID to client Data. (#1554)

ve7jtb has just created a new issue for https://github.com/w3c/webauthn:

== Adding info about HSTS for the RPID to client Data. ==
We have never allowed WebAuthn to non TLS origins.

HSTS adds another property of prohibiting user recourse to invalid certificates.  

We should be using the existing token binding mechanism, but given the current lack of browser support for TokenBinding we need to consider other options.  

Arguably RP best practice would be to use HSTS.  The problem for them would be to know if at first use by the user agent the header was received and not stripped by a MIM.   

There is a preload list that people can get into, but I don't know if that could be blocked by an attacker. 

One simple possible solution would be to add a boolean to client data to indicate if the browser is enforcing HSTS for the RPID domain. 

To cover the Token Binding functionality we would also need a mechanism to detect mis-issued certificates.

Perhaps something could be done with respect to that around CT, but I don't have a proposal for that.

Please view or discuss this issue at https://github.com/w3c/webauthn/issues/1554 using your GitHub account


-- 
Sent via github-notify-ml as configured in https://github.com/w3c/github-notify-ml-config

Received on Wednesday, 27 January 2021 15:40:15 UTC