- From: =JeffH via GitHub <sysbot+gh@w3.org>
- Date: Fri, 19 Nov 2021 19:15:18 +0000
- To: public-webauthn@w3.org
> Can the device private key sign over just clientDataHash instead of (clientDataHash || userCredentialId)? I understand the need to "bind" the device private key to a user credential, but I was thinking the RP can just remember which user credential the device private key is associated with the first time it sees it. Signing over userCredentialId prudently yields a cryptographic binding to the user credential, strongly demonstrating the device private key had access to the userCredentialId. When verified by a RP, it will help prevent the RP being possibly snookered by, say, some form of malware-induced substitution attack (although I do not have such a worked-out attack scenario at this time). Do you anticipate or find it an implementation hardship for the device private key to sign over both clientDataHash and userCredentialId ? -- GitHub Notification of comment by equalsJeffH Please view or discuss this issue at https://github.com/w3c/webauthn/issues/1658#issuecomment-974338933 using your GitHub account -- Sent via github-notify-ml as configured in https://github.com/w3c/github-notify-ml-config
Received on Friday, 19 November 2021 19:15:20 UTC