The example was misleading, as it is already explicitly disallowed by the spec
(see 4.1.4, step 8). Removing it hopefully makes it clear that 11.2 is about a
general class of risk that SPC (and WebAuthn) has as a technology, not a
specific attack with a specific mitigation.
The example was misleading, as it is already explicitly disallowed by the spec (see 4.1.4, step 8). Removing it hopefully makes it clear that 11.2 is about a general class of risk that SPC (and WebAuthn) has as a technology, not a specific attack with a specific mitigation.
See #142
Preview | Diff