- From: Firstyear via GitHub <sysbot+gh@w3.org>
- Date: Thu, 12 May 2022 01:25:02 +0000
- To: public-webauthn@w3.org
Except because it's not signed you can't use it to trust that an rk was created because the client can lie and tamper with that meaning you can't use it to assert that a usernameless or 2fa only flow can be used .... If it's not meant to be proof of anything, why does it exist, and use language that makes it sound like a proof? It's fully misleading and RP's will absolutely incorrectly rely on this value. -- GitHub Notification of comment by Firstyear Please view or discuss this issue at https://github.com/w3c/webauthn/issues/1730#issuecomment-1124437660 using your GitHub account -- Sent via github-notify-ml as configured in https://github.com/w3c/github-notify-ml-config
Received on Thursday, 12 May 2022 01:25:04 UTC