- From: Shane Weeden via GitHub <sysbot+gh@w3.org>
- Date: Tue, 27 Jun 2023 01:45:42 +0000
- To: public-webauthn@w3.org
sbweeden has just created a new issue for https://github.com/w3c/webauthn: == Revisit description of userHandle == ## Proposed Change I may be way off base here, but I feel there is something incorrect about the way we currently describe userHandle. The [current description of userHandle](https://w3c.github.io/webauthn/#user-handle) suggests: ``` The main use of the user handle is to identify the user account in such authentication ceremonies, but the credential ID could be used instead. ``` I don't think this is true. I think the main use of the user handle is to _allow authenticators to decide when to replace a discoverable credential they already have with a new one during navigator.credentials.create_. An RP cannot trust userHandle during assertion flows as it is not signed. Only the credentialID is signed. Therefore the RP MUST use the credentialID to lookup a public key for signature validation and associated user account. The user handle can then be verified to be correct as described in step 6 of section 7.2 ([Verifying an Authentication Assertion](https://w3c.github.io/webauthn/#sctn-verifying-assertion)), however the RP should not be using the userHandle for this lookup because it can be modified by a nefarious user at the browser after navigator.credentials.get is called, and before the assertion payload is sent to the RP. IMO the validation step in [Verifying an Authentication Assertion](https://w3c.github.io/webauthn/#sctn-verifying-assertion) does little else other than to detect that something bad happened either when the credential was created, or during the assertion flow. Please view or discuss this issue at https://github.com/w3c/webauthn/issues/1909 using your GitHub account -- Sent via github-notify-ml as configured in https://github.com/w3c/github-notify-ml-config
Received on Tuesday, 27 June 2023 01:45:44 UTC