Re: [webauthn] devicePubKey → supplementalPubKeys (#1957) from David Waite via GitHub on 2023-09-11 (public-webauthn@w3.org from September 2023)

From: David Waite via GitHub <sysbot+gh@w3.org>
Date: Mon, 11 Sep 2023 14:02:56 +0000
To: public-webauthn@w3.org
Message-ID: <issue_comment.created-1713954825-1694440974-sysbot+gh@w3.org>

Since both the provider and device key signatures are over assertion data input, I assume this means the provider signature does not protect the device key. 

Is there a way to know that the device key is coming from a device within a provider, vs having an intermediary which overrides and provides a consistent key across devices?

-- 
GitHub Notification of comment by dwaite
Please view or discuss this issue at https://github.com/w3c/webauthn/pull/1957#issuecomment-1713954825 using your GitHub account


-- 
Sent via github-notify-ml as configured in https://github.com/w3c/github-notify-ml-config

Received on Monday, 11 September 2023 14:02:59 UTC