- From: Taylor Trimble via GitHub <sysbot+gh@w3.org>
- Date: Fri, 19 Nov 2021 19:33:08 +0000
- To: public-webauthn@w3.org
> Do you anticipate or find it an implementation hardship for the device private key to sign over both clientDataHash and userCredentialId? Great question I should have anticipated and led with! No, there's no implementation difficulty. I was simply doing an exercise for my own education to whittle things away from this proposal and see how things break. I was also trying to come up with the RP-gets-snookered attack scenario and wasn't sure I could make it break; though as you said, signing over the `userCredentialId` is prudent anyway. 😉 Thank you for taking the time to think about this and respond! -- GitHub Notification of comment by tylrtrmbl Please view or discuss this issue at https://github.com/w3c/webauthn/issues/1658#issuecomment-974356303 using your GitHub account -- Sent via github-notify-ml as configured in https://github.com/w3c/github-notify-ml-config
Received on Friday, 19 November 2021 19:33:10 UTC