- From: Fredrik Tolf via GitHub <sysbot+gh@w3.org>
- Date: Sat, 25 Feb 2023 00:13:32 +0000
- To: public-webauthn@w3.org
@agl >While the implementation challenge is non-trivial for the browser, a challengeCallback of type () -> Promise<BufferSource> as an alternative to challenge is interesting. Though I'm speaking from the RP side rather than the browser side, this would be very nice, and would certainly work for me. (Especially if combined with #1854.) >Challenges can be stored client-side, and contain something like HMAC(timestamp), but we want those challenges to be time-bounded otherwise the assertion turns into a password that, if leaked, can be reused. I am curious, are you saying that it would be acceptable for RPs to ignore actual replays so long as challenges are tightly time-bounded? --- @sbweeden Truly, I was thinking the same thing. If challenge lifetimes are a security concern, it would be quite nice to be able to make them sub-minute long. -- GitHub Notification of comment by dolda2000 Please view or discuss this issue at https://github.com/w3c/webauthn/issues/1856#issuecomment-1444778378 using your GitHub account -- Sent via github-notify-ml as configured in https://github.com/w3c/github-notify-ml-config
Received on Saturday, 25 February 2023 00:13:33 UTC