[webauthn] Attestation for DPK(device-bound public key) (#1798) from Keiko Itakura via GitHub on 2022-09-10 (public-webauthn@w3.org from September 2022)

From: Keiko Itakura via GitHub <sysbot+gh@w3.org>
Date: Sat, 10 Sep 2022 00:04:31 +0000
To: public-webauthn@w3.org
Message-ID: <issues.opened-1368423986-1662768270-sysbot+gh@w3.org>

keikoit has just created a new issue for https://github.com/w3c/webauthn:

== Attestation for DPK(device-bound public key) ==
After discussing with various RPs on DPK (device-bound public key), we are agreeing that those RPs who want to use a DPK need attestation for a DPK and the attestation must be protected from replay attacks. 
I am wondering if this requirement is specified in the specification already? 
Without replay attack protection, a DPK is equivalent to a bearer token and RPs cannot trust  it.

Please view or discuss this issue at https://github.com/w3c/webauthn/issues/1798 using your GitHub account


-- 
Sent via github-notify-ml as configured in https://github.com/w3c/github-notify-ml-config

Received on Saturday, 10 September 2022 00:04:33 UTC