Re: [webauthn] Hybrid transport opt-out and ability for verifiable proof (#2349) from Firstyear via GitHub on 2025-10-27 (public-webauthn@w3.org from October 2025)

From: Firstyear via GitHub <noreply@w3.org>
Date: Mon, 27 Oct 2025 23:21:56 +0000
To: public-webauthn@w3.org
Message-ID: <issue_comment.created-3453726092-1761607314-noreply@w3.org>

> I agree that clientDataJSON seems to be a better place than authenticatorData for such kind of fix as the authenticator might not even be aware of hybrid being used.

Given this is built by the client (browser) not the authenticator, a compromised client can just say "I used usb, promise" even if it was hybrid. 




-- 
GitHub Notification of comment by Firstyear
Please view or discuss this issue at https://github.com/w3c/webauthn/issues/2349#issuecomment-3453726092 using your GitHub account


-- 
Sent via github-notify-ml as configured in https://github.com/w3c/github-notify-ml-config

Received on Monday, 27 October 2025 23:21:57 UTC