Re: [webauthn] Does signing the credential public key with the attestation private key prove to the RP that the user owns the credential private key? (#1679) from =JeffH via GitHub on 2021-11-03 (public-webauthn@w3.org from November 2021)

From: =JeffH via GitHub <sysbot+gh@w3.org>
Date: Wed, 03 Nov 2021 19:20:39 +0000
To: public-webauthn@w3.org
Message-ID: <issue_comment.created-959847291-1635967237-sysbot+gh@w3.org>

on 2021-11-03 call:
@agl notes  a possible attack which would be due to RPs overwriting existing cred metadata and causing a victim user to login to an attacker's account.  he will write a note for the spec on this./

-- 
GitHub Notification of comment by equalsJeffH
Please view or discuss this issue at https://github.com/w3c/webauthn/issues/1679#issuecomment-959847291 using your GitHub account


-- 
Sent via github-notify-ml as configured in https://github.com/w3c/github-notify-ml-config

Received on Wednesday, 3 November 2021 19:20:41 UTC