Re: [webauthn] Device-bound key extension (#1658)

> Do you anticipate or find it an implementation hardship for the device private key to sign over both clientDataHash and userCredentialId?

Great question I should have anticipated and led with! No, there's no implementation difficulty. I was simply doing an exercise for my own education to whittle things away from this proposal and see how things break. I was also trying to come up with the RP-gets-snookered attack scenario and wasn't sure I could make it break; though as you said, signing over the `userCredentialId` is prudent anyway. 😉

Thank you for taking the time to think about this and respond!

GitHub Notification of comment by tylrtrmbl
Please view or discuss this issue at using your GitHub account

Sent via github-notify-ml as configured in

Received on Friday, 19 November 2021 19:33:10 UTC