Re: [webauthn] Proposal for password-only authentication using ES256 (#2091) from Fredrik Tolf via GitHub on 2024-07-03 (public-webauthn@w3.org from July 2024)

From: Fredrik Tolf via GitHub <sysbot+gh@w3.org>
Date: Wed, 03 Jul 2024 17:33:49 +0000
To: public-webauthn@w3.org
Message-ID: <issue_comment.created-2206871560-1720028027-sysbot+gh@w3.org>

I think you still misunderstand, as you shouldn't be able to crack a credential ID at all, given that the password has no part in constructing it. You would be able to brute-force a `(credential-ID, public-key)` pair, but that would at least require the server-side data getting leaked.

---

>For example, when hashing to the scalar field for an elliptic curve (sub)group with prime order r, it suffices to instantiate hash_to_field with target field GF(r).

Ah, nice. I hadn't read that part, but in that case, it seems only suitable to reuse it, indeed.

-- 
GitHub Notification of comment by dolda2000
Please view or discuss this issue at https://github.com/w3c/webauthn/issues/2091#issuecomment-2206871560 using your GitHub account


-- 
Sent via github-notify-ml as configured in https://github.com/w3c/github-notify-ml-config

Received on Wednesday, 3 July 2024 17:33:50 UTC