- From: Emil Lundberg via GitHub <sysbot+gh@w3.org>
- Date: Thu, 22 Sep 2022 16:09:01 +0000
- To: public-webauthn@w3.org
Sorry for the delay. But coming back to this, I no longer feel convinced that any change is necessary. The primary argument in favour of a change is that you shouldn't trust the contents of the attestation object before you've verified and decided to trust (or decided to ignore) the attestation signature. But if the contents are wrong - be it because `"alg"` has an unallowed value, or the `challenge` is incorrect, or whatever - then you're going to reject the registration anyway, so whether you trust the attestation is irrelevant. The registration has to pass BOTH content validation AND signature verification to be accepted, so it doesn't matter for security in which order you perform those checks. If anything it's a tiny bit better for performance and energy savings to validate the contents before verifying the signature, as the signature verification is likely to take the most work to perform. So I now think we should close this issue with no further action. -- GitHub Notification of comment by emlun Please view or discuss this issue at https://github.com/w3c/webauthn/issues/1555#issuecomment-1255245677 using your GitHub account -- Sent via github-notify-ml as configured in https://github.com/w3c/github-notify-ml-config
Received on Thursday, 22 September 2022 16:09:03 UTC