- From: Arnaud Dagnelies via GitHub <sysbot+gh@w3.org>
- Date: Tue, 29 Mar 2022 15:32:45 +0000
- To: public-webauthn@w3.org
Actually, as a newcomer, I have issues wrapping my head around the whole thing. The puzzle is slowly coming together. The verification process is very long, including attestations, however I fail to see how it prevents tampering at all. Basically, because of the generated challenge, you can associate it to the corresponding "receiver". However, the content, with attestation or not, is taken in good faith. It would be trivial to write a bot that requests a challenge, produces a key pair, and produce arbitrary registration payloads, whether signed/attested or not ...so in that context a signature does not matter at all and incoming flags/infos should be considered purely informational anyway. Right? ...so, again a dumb question but: is it worth verifying anything? After all, a malicious script, whether browser based or not, can just build arbitrary registration payloads. If you get your hands on the challenge, you can register whatever you want for it without even calling webauthn. There is nothing you can really proove besides that it is the right challenge. Am I missing something or is there a way to prevent a script from building arbitrary registrations? If these assumptions hold, all that's really needed for a registration is `credential.id` and `credential.response.getPublicKey()`. All other stuff being optional informative metadata that could have been tampered with invented key pairs. Sorry again if I speak nonsense. As I said, I have difficulties assimilating this spec. -- GitHub Notification of comment by dagnelies Please view or discuss this issue at https://github.com/w3c/webauthn/issues/1710#issuecomment-1082028274 using your GitHub account -- Sent via github-notify-ml as configured in https://github.com/w3c/github-notify-ml-config
Received on Tuesday, 29 March 2022 15:32:47 UTC