Re: [webauthn] Code Injection vulnerability from client side (#1965) from Emil Lundberg via GitHub on 2023-09-28 (public-webauthn@w3.org from September 2023)

From: Emil Lundberg via GitHub <sysbot+gh@w3.org>
Date: Thu, 28 Sep 2023 14:12:15 +0000
To: public-webauthn@w3.org
Message-ID: <issue_comment.created-1739313115-1695910333-sysbot+gh@w3.org>

However, I noticed just now that in [§2. Conformance](https://w3c.github.io/webauthn/#sctn-conformance) we claim (emphasis added):

>This specification defines three conformance classes. Each of these classes is specified so that **conforming members of the class are secure against non-conforming or hostile members of the other classes**.

I'm not sure how true that statement is, unless it's meant to be understood in some very specific, narrowly scoped way. For example, a non-conforming client can direct its user to use a conforming authenticator to authenticate to a conforming RP on behalf of a malicious actor. Maybe this statement needs to be revised or clarified?

-- 
GitHub Notification of comment by emlun
Please view or discuss this issue at https://github.com/w3c/webauthn/issues/1965#issuecomment-1739313115 using your GitHub account


-- 
Sent via github-notify-ml as configured in https://github.com/w3c/github-notify-ml-config

Received on Thursday, 28 September 2023 14:12:17 UTC