Re: [webauthn] RP operations: some extension processing may assume that the encompassing signature is valid (#1711) from Emil Lundberg via GitHub on 2023-03-20 (public-webauthn@w3.org from March 2023)

From: Emil Lundberg via GitHub <sysbot+gh@w3.org>
Date: Mon, 20 Mar 2023 14:01:18 +0000
To: public-webauthn@w3.org
Message-ID: <issue_comment.created-1476289090-1679320876-sysbot+gh@w3.org>

I think the concern about `devicePubKey` is mostly resolved at the moment by the combination of #1807 and #1812, as the steps to store new DPK records are now deferred to after signature verification. But I wonder if in a broader perspective it's still worth moving extension processing to after signature verification anyway, so this doesn't come up again in future extensions - or extensions defined in other specs, for that matter. Thoughts on that? I'm happy to do it in that case.

-- 
GitHub Notification of comment by emlun
Please view or discuss this issue at https://github.com/w3c/webauthn/issues/1711#issuecomment-1476289090 using your GitHub account


-- 
Sent via github-notify-ml as configured in https://github.com/w3c/github-notify-ml-config

Received on Monday, 20 March 2023 14:01:20 UTC