[webauthn] Protect against TLS MiTM by including TLS cert chain in signature from Alexei Czeskis via GitHub on 2017-03-29 (public-webauthn@w3.org from March 2017)

From: Alexei Czeskis via GitHub <sysbot+gh@w3.org>
Date: Wed, 29 Mar 2017 20:56:55 +0000
To: public-webauthn@w3.org
Message-ID: <issues.opened-218006761-1490821013-sysbot+gh@w3.org>

leshi has just created a new issue for https://github.com/w3c/webauthn:

== Protect against TLS MiTM by including TLS cert chain in signature ==
While I know token binding can do this as well, this doesn't necessarily require the server (or client) to modify as much of the stack.

The idea is that the client includes the cert chain info in the client data, the token signs over this.  Server can verify that the client saw the expected chain.  If it doesn't, the server may have a bit more info on who's doing a man in the middle than it might otherwise know with token binding.

h/t to Sam Srinivas

Please view or discuss this issue at https://github.com/w3c/webauthn/issues/391 using your GitHub account

Received on Wednesday, 29 March 2017 20:57:01 UTC