- From: Matthew Miller via GitHub <sysbot+gh@w3.org>
- Date: Tue, 29 Mar 2022 15:58:14 +0000
- To: public-webauthn@w3.org
> Basically, because of the generated challenge, you can associate it to the corresponding "receiver". However, the content, with attestation or not, is taken in good faith. It would be trivial to write a bot that requests a challenge, produces a key pair, and produce arbitrary registration payloads, whether signed/attested or not ...so in that context a signature does not matter at all and incoming flags/infos should be considered purely informational anyway. Right? If knowing that only legitimate authenticators can be registered for use with your site then you want to request an attestation statement. Responses are only really taken "in good faith" when you don't request one because, as you mention, there's no signature over anything. What requesting an attestation statement gets you is: - A signature over authenticator data and client data - A chain of certificates that links back to known root certificates owned by the various hardware vendors It's that last one that can't be faked by software. No one other than the owner of the root cert private key can sign any connection to any generated intermediate certificates. Since it's the leaf cert that's ultimately used to validate the attestation statement's signature, faked responses wouldn't ever pass legitimate response verification because the faked leaf certificate couldn't ever be linked back to a valid root cert. -- GitHub Notification of comment by MasterKale Please view or discuss this issue at https://github.com/w3c/webauthn/issues/1710#issuecomment-1082058793 using your GitHub account -- Sent via github-notify-ml as configured in https://github.com/w3c/github-notify-ml-config
Received on Tuesday, 29 March 2022 16:01:32 UTC