Re: [webauthn] Add transport used during authentication to assertion payload (#1668) from Adam Langley via GitHub on 2021-09-09 (public-webauthn@w3.org from September 2021)

From: Adam Langley via GitHub <sysbot+gh@w3.org>
Date: Thu, 09 Sep 2021 00:17:50 +0000
To: public-webauthn@w3.org
Message-ID: <issue_comment.created-915659460-1631146668-sysbot+gh@w3.org>

> This field isn't part of the signed collected client data, so can't this be tampered with during the response?

The user-agent could "tamper" with it, yes. As with several other fields (including the transport list in the registration).

> There is already a signed extension for this purpose, so how is this an improvement?

There's no extension defined for this but, even if we defined one, it wouldn't have any support from authenticators. An extension isn't needed for the motivating use here, which is allow a website to figure out whether to offer to register a platform authenticator.

-- 
GitHub Notification of comment by agl
Please view or discuss this issue at https://github.com/w3c/webauthn/pull/1668#issuecomment-915659460 using your GitHub account


-- 
Sent via github-notify-ml as configured in https://github.com/w3c/github-notify-ml-config

Received on Thursday, 9 September 2021 00:17:52 UTC