Re: [webauthn] <new proposal> Extending WebAuthn Protocol for Remote Authentication (#1580)

> I can't see how this is really going to provide a proof of anything particularly useful unless the camera itself (in the example use case of signing an image) was hardware that included an attest-able FIDO2 authenticator capability and the process of taking and then immediately signing the photograph was therefore "within the authenticator boundary". To suggest the browser can safely broker that transaction is (IMHO) placing too much trust in the relationship the browser has with other peripherals on the device.

Web authentication needs to include both remote authentication and local authentication. The current WebauthN is a set of local authentication protocols. Local authentication needs to ensure that the result is authentic, but remote authentication needs to ensure that the data is authentic. There are similarities, but the threats are different.

GitHub Notification of comment by thedreamwork
Please view or discuss this issue at using your GitHub account

Sent via github-notify-ml as configured in

Received on Tuesday, 9 March 2021 04:58:20 UTC