Re: [webauthn] Code Injection vulnerability from client side (#1965) from John Bradley via GitHub on 2023-09-17 (public-webauthn@w3.org from September 2023)

From: John Bradley via GitHub <sysbot+gh@w3.org>
Date: Sun, 17 Sep 2023 03:53:47 +0000
To: public-webauthn@w3.org
Message-ID: <issue_comment.created-1722384006-1694922825-sysbot+gh@w3.org>

Now you are getting g into the specifics of the win32 "security model".  That is probably out of scope for WebAuthn.  On platforms that have authenticated apps like android those apps can only use RPID that they prove they control preventing them from man in the middling other RPID. 

Microsoft should comment on why they have chosen the approach they have taken. 

At this point there is no perfect platform unfortunately. 

-- 
GitHub Notification of comment by ve7jtb
Please view or discuss this issue at https://github.com/w3c/webauthn/issues/1965#issuecomment-1722384006 using your GitHub account


-- 
Sent via github-notify-ml as configured in https://github.com/w3c/github-notify-ml-config

Received on Sunday, 17 September 2023 03:53:49 UTC