Re: [webauthn] Add transport used during authentication to assertion payload (#1668)

> This field isn't part of the signed collected client data, so can't this be tampered with during the response?

The user-agent could "tamper" with it, yes. As with several other fields (including the transport list in the registration).

> There is already a signed extension for this purpose, so how is this an improvement?

There's no extension defined for this but, even if we defined one, it wouldn't have any support from authenticators. An extension isn't needed for the motivating use here, which is allow a website to figure out whether to offer to register a platform authenticator.

GitHub Notification of comment by agl
Please view or discuss this issue at using your GitHub account

Sent via github-notify-ml as configured in

Received on Thursday, 9 September 2021 00:17:52 UTC