[webauthn] Client-generated challenges from David Halls via GitHub on 2018-05-10 (public-webauthn@w3.org from May 2018)

From: David Halls via GitHub <sysbot+gh@w3.org>
Date: Thu, 10 May 2018 21:53:55 +0000
To: public-webauthn@w3.org
Message-ID: <issues.opened-322099157-1525989234-sysbot+gh@w3.org>

davedoesdev has just created a new issue for https://github.com/w3c/webauthn:

== Client-generated challenges ==
I have a question about https://www.w3.org/TR/webauthn/#cryptographic-challenges

> Therefore, both challenge's and challenge's value MUST be randomly generated by Relying Parties in an environment they trust (e.g., on the server-side)

I'd like to ask what the reason for this is please?

I'm interested in using WebAuthn to sign JWTs that are generated by script in the page (according to user input). This would be done by an administrative user, to generate tokens which can be presented to the server by other users to get access to limited server functionality.

Is there something in the spec, or the implementations of it, which precludes this use case?

Please view or discuss this issue at https://github.com/w3c/webauthn/issues/902 using your GitHub account

Received on Thursday, 10 May 2018 21:53:57 UTC