Re: [webauthn] Does signing the credential public key with the attestation private key prove to the RP that the user owns the credential private key? (#1679) from Emil Lundberg via GitHub on 2021-10-28 (public-webauthn@w3.org from October 2021)

From: Emil Lundberg via GitHub <sysbot+gh@w3.org>
Date: Thu, 28 Oct 2021 17:37:56 +0000
To: public-webauthn@w3.org
Message-ID: <issue_comment.created-954058834-1635442674-sysbot+gh@w3.org>

@boogerlad You're right that in the case of non-Self attestation, there is no direct proof during the registration ceremony that the user possesses the credential private key (although an indirect assurance might be derived from the attestation, as @dwaite describes). So yes, a defective authenticator could return a public key it doesn't actually have the private key for, which could inadvertently lock the user out of their account. But a malicious user has nothing to gain from doing that intentionally.

-- 
GitHub Notification of comment by emlun
Please view or discuss this issue at https://github.com/w3c/webauthn/issues/1679#issuecomment-954058834 using your GitHub account


-- 
Sent via github-notify-ml as configured in https://github.com/w3c/github-notify-ml-config

Received on Thursday, 28 October 2021 17:37:58 UTC