W3C home > Mailing lists > Public > public-webauthn@w3.org > March 2021

Re: [webauthn] <new proposal> Extending WebAuthn Protocol for Remote Authentication (#1580)

From: The via GitHub <sysbot+gh@w3.org>
Date: Tue, 09 Mar 2021 04:58:18 +0000
To: public-webauthn@w3.org
Message-ID: <issue_comment.created-793395891-1615265897-sysbot+gh@w3.org>
> I can't see how this is really going to provide a proof of anything particularly useful unless the camera itself (in the example use case of signing an image) was hardware that included an attest-able FIDO2 authenticator capability and the process of taking and then immediately signing the photograph was therefore "within the authenticator boundary". To suggest the browser can safely broker that transaction is (IMHO) placing too much trust in the relationship the browser has with other peripherals on the device.

Web authentication needs to include both remote authentication and local authentication. The current WebauthN is a set of local authentication protocols. Local authentication needs to ensure that the result is authentic, but remote authentication needs to ensure that the data is authentic. There are similarities, but the threats are different.

-- 
GitHub Notification of comment by thedreamwork
Please view or discuss this issue at https://github.com/w3c/webauthn/issues/1580#issuecomment-793395891 using your GitHub account


-- 
Sent via github-notify-ml as configured in https://github.com/w3c/github-notify-ml-config
Received on Tuesday, 9 March 2021 04:58:20 UTC

This archive was generated by hypermail 2.4.0 : Tuesday, 5 July 2022 07:26:43 UTC