Re: [webauthn] Split RP ops "Registering a new credential" into one with and one without attestation (#1710) from Arnaud Dagnelies via GitHub on 2022-03-29 (public-webauthn@w3.org from March 2022)

From: Arnaud Dagnelies via GitHub <sysbot+gh@w3.org>
Date: Tue, 29 Mar 2022 11:43:57 +0000
To: public-webauthn@w3.org
Message-ID: <issue_comment.created-1081768154-1648554235-sysbot+gh@w3.org>

As far as I understand, when registering credentials, the signature is concealed somewhere deep in this authenticator-specific `attStmt` object.

So, without attestation means without signature and the client can freely tamper with all the data anyway (very easely). In the end, in the absence of signature, you can simply send the public key over since none of the data can be trusted anyway.

Or did I miss something?

-- 
GitHub Notification of comment by dagnelies
Please view or discuss this issue at https://github.com/w3c/webauthn/issues/1710#issuecomment-1081768154 using your GitHub account


-- 
Sent via github-notify-ml as configured in https://github.com/w3c/github-notify-ml-config

Received on Tuesday, 29 March 2022 11:44:01 UTC