Re: [webauthn] Clarify the need for truly randomly generated challenges (#1856) from timurnkey via GitHub on 2023-06-09 (public-webauthn@w3.org from June 2023)

From: timurnkey via GitHub <sysbot+gh@w3.org>
Date: Fri, 09 Jun 2023 16:55:17 +0000
To: public-webauthn@w3.org
Message-ID: <issue_comment.created-1584885756-1686329715-sysbot+gh@w3.org>

I'm trying to understand the various attack vectors around challenge generation. The assertion case makes a lot of sense to me, but I'm having trouble understanding why the challenge matters in the attestation case. Specifically, why is [step #8 important](https://www.w3.org/TR/webauthn/#sctn-registering-a-new-credential)?

1. (challenge generated in trusted environment) -> I asked "you" to show proof of real-time ownership
2. (challenge generated in untrusted environment) -> Someone asked "you", or someone else, to prove previous ownership

Is this the right way to think about that? Since this uses a trust-of-first-use model... what's the worst case scenario if the challenge isn't generated in a trusted environment?

-- 
GitHub Notification of comment by timurnkey
Please view or discuss this issue at https://github.com/w3c/webauthn/issues/1856#issuecomment-1584885756 using your GitHub account


-- 
Sent via github-notify-ml as configured in https://github.com/w3c/github-notify-ml-config

Received on Friday, 9 June 2023 16:55:18 UTC