> Do you anticipate or find it an implementation hardship for the device private key to sign over both clientDataHash and userCredentialId? Great question I should have anticipated and led with! No, there's no implementation difficulty. I was simply doing an exercise for my own education to whittle things away from this proposal and see how things break. I was also trying to come up with the RP-gets-snookered attack scenario and wasn't sure I could make it break; though as you said, signing over the `userCredentialId` is prudent anyway. 😉 Thank you for taking the time to think about this and respond! -- GitHub Notification of comment by tylrtrmbl Please view or discuss this issue at https://github.com/w3c/webauthn/issues/1658#issuecomment-974356303 using your GitHub account -- Sent via github-notify-ml as configured in https://github.com/w3c/github-notify-ml-configReceived on Friday, 19 November 2021 19:33:10 UTC
This archive was generated by hypermail 2.4.0 : Tuesday, 5 July 2022 07:26:45 UTC