W3C home > Mailing lists > Public > public-webauthn@w3.org > November 2021

Re: [webauthn] Device-bound key extension (#1658)

From: Taylor Trimble via GitHub <sysbot+gh@w3.org>
Date: Fri, 19 Nov 2021 19:33:08 +0000
To: public-webauthn@w3.org
Message-ID: <issue_comment.created-974356303-1637350387-sysbot+gh@w3.org>
> Do you anticipate or find it an implementation hardship for the device private key to sign over both clientDataHash and userCredentialId?

Great question I should have anticipated and led with! No, there's no implementation difficulty. I was simply doing an exercise for my own education to whittle things away from this proposal and see how things break. I was also trying to come up with the RP-gets-snookered attack scenario and wasn't sure I could make it break; though as you said, signing over the `userCredentialId` is prudent anyway. 😉

Thank you for taking the time to think about this and respond!

GitHub Notification of comment by tylrtrmbl
Please view or discuss this issue at https://github.com/w3c/webauthn/issues/1658#issuecomment-974356303 using your GitHub account

Sent via github-notify-ml as configured in https://github.com/w3c/github-notify-ml-config
Received on Friday, 19 November 2021 19:33:10 UTC

This archive was generated by hypermail 2.4.0 : Tuesday, 5 July 2022 07:26:45 UTC