On 29.10.24 15:36, Alan DeKok wrote:
On Oct 29, 2024, at 4:03 AM, Yukiko MINAMIE wrote:
Perhaps one option would be to allow the challenge to be created by the FIDO2
server, but add an exchange specific to the EAP-FIDO protocol, which would do
the cryptographic binding. That exchange coul
On Oct 30, 2024, at 1:13 PM, Jan-Frederik Rieckers wrote:
> The problem I have with this approach:
> This could make cross-protocol attacks possible.
Sure. If we want EAP-FIDO to have the same workflow as normal web FIDO, then
we need to have the server generate the challenge. There are a lo
