[webkit-reviews] review granted: [Bug 183533] [WebAuthn] Formalize the Keychain schema : [Attachment 393180] Patch
bugzilla-daemon at webkit.org
bugzilla-daemon at webkit.org
Wed Mar 11 11:00:04 PDT 2020
Brent Fulgham <bfulgham at webkit.org> has granted Jiewen Tan
<jiewen_tan at apple.com>'s request for review:
Bug 183533: [WebAuthn] Formalize the Keychain schema
https://bugs.webkit.org/show_bug.cgi?id=183533
Attachment 393180: Patch
https://bugs.webkit.org/attachment.cgi?id=393180&action=review
--- Comment #8 from Brent Fulgham <bfulgham at webkit.org> ---
Comment on attachment 393180
--> https://bugs.webkit.org/attachment.cgi?id=393180
Patch
View in context: https://bugs.webkit.org/attachment.cgi?id=393180&action=review
> Source/WebKit/ChangeLog:51
> + within the SEP. So this field is absolutely useless.
I suggest:
We hard code a zero value for 'signature counter'. While this is a
theoretically interesting technique for a RP to detect private key cloning, it
is unlikely to be useful in practice. We store the private keys in our SEP.
This counter would only be a meaningful protection if adversaries were able to
extract private key data from the SEP without Apple noticing, but were not able
to manipulate this counter to fool the RP.
> Source/WebKit/UIProcess/WebAuthentication/Cocoa/LocalAuthenticator.mm:338
> + ASSERT(!status);
Should this be a RELEASE_ASSERT?
More information about the webkit-reviews
mailing list