jackevans43
jackevans43
@scrawfor99 Sorry for the slow reply - yes this behaviour is for successful search requests etc. Have you managed to reproduce the issue?
I think you'll always need to talk to an external server to sign some kind of nonce from the server (or maybe RFC 3161 time stamp authority) to prove the...
User device. If a user device contains malware, it can do anything a browser can, such as performing signing or hashing operations on "protected" key material, even if it's in...
@el1s7 > ### 2. Sharing the Key > Step two is the same as previous, the secure session key is sent once by the browser on the specified URL. >...
I agree the aim of DBSC is about the user device. However if we've got the opportunity to mitigate other risks with minimal/no extra effort, shouldn't we? Or to look...
Is it necessary to sign every request? While malware is present on a user device, it can also do this. Aren't we trying to reduce the time between malware being...
To prove current possession of the private key, you'll need to sign some piece of data from an external source that you couldn't have predicted. Without this, malware previously on...
Thanks @danmarg @arnar for the explanation. On the subject of binding WebAuthn and DBSC to the same device - I think this would be best eventual solution. There will be...