Lookup Credential Source by Credential ID Algorithm returns sensitive data such as the credential private key #1678
Comments
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
{{ message }}
the Lookup Credential Source by Credential ID Algorithm is presently used only in internal-to-the-authenticator operations, namely in authenticatorMakeCredential and authenticatorGetAssertion.
The result of Lookup Credential Source by Credential ID Algorithm is null, or one or more credential sources. A credential source models the (sensitive) data an authnr manages for each "credential", i.e., including the credential private key.
Using this alg to look up a cred source, when conceptually "within the authenticator boundary" is fine (i.e., security- and privacy-wise).
However, if we attempt to use this alg from another conceptual level, e.g., the client platform (as we might do in PR #1576), then we do not want to be returning the private key to the caller.
authenticatorMakeCredential and authenticatorGetAssertion really only need this alg to return cred source items such as type, (cred) id, rpId, userHandle, otherUI (i.e., everything other than privateKey).
We ought to update this alg accordingly such that security model subtleties remain at least nominally correct.
The text was updated successfully, but these errors were encountered: