28Şub
How does it "allow a malicious website to obtain valid credentials." – WebAuthn
I'm not entirely convinced of the importance of verifying the authenticator attestation, and I've asked a question about it, I'm open to it, and if you want, you can post an answer at that question, but this one is specifically about "section 13.4.9. Validating the origin of a credential".
It says
The Relying Party MUST NOT accept unexpected values of origin, as doing so could allow a malicious website to obtain valid credentials. ... the Relying Party's origin validation serves as an additional layer of protection in case a faulty authenticator fails to enforce credential scope
Q: Can we illustrate the problem that can occur with not verifying origin (during registeration to be specific), with a concrete example?
