RE: 05/24/2016 WebAuthn Summary from Vijay Bharadwaj on 2016-05-27 (public-webauthn@w3.org from May 2016)

From: Vijay Bharadwaj <vijaybh@microsoft.com>
Date: Fri, 27 May 2016 19:37:31 +0000
To: "J.C. Jones" <jjones@mozilla.com>
CC: "Mandyam, Giridhar" <mandyam@qti.qualcomm.com>, Sampath Srinivas <samsrinivas@google.com>, Anthony Nadalin <tonynad@microsoft.com>, "public-webauthn@w3.org" <public-webauthn@w3.org>
Message-ID: <74fc2dbe98d549e9a2745c05756fb75c@microsoft.com>

One issue with that is that some of the extensions that are currently defined (in fact, 3 out of 5) are emitted unprompted by the authenticator. Though if we wanted to make this rule, I would be fine with it and we could add it in the spec if others agree.

Essentially the authenticator would still be allowed to ignore requested extensions, just not add new ones on its own.

From: J.C. Jones [mailto:jjones@mozilla.com]
Sent: Friday, May 27, 2016 12:33 PM
To: Vijay Bharadwaj <vijaybh@microsoft.com>
Cc: Mandyam, Giridhar <mandyam@qti.qualcomm.com>; Sampath Srinivas <samsrinivas@google.com>; Anthony Nadalin <tonynad@microsoft.com>; public-webauthn@w3.org
Subject: Re: 05/24/2016 WebAuthn Summary

That's how you'd enforce it: if the authenticator doesn't obey the contract, the signature won't be valid when the RP checks it.
Roughly the contract would be: Authenticators will only emit extensions they were prompted to emit.

On Fri, May 27, 2016 at 12:27 PM, Vijay Bharadwaj <vijaybh@microsoft.com<mailto:vijaybh@microsoft.com>> wrote:
As a client, how would you enforce this other than by dropping the signature on the floor?

In general, every time you put in a MUST into a protocol or other spec, you need to say what the consequences are if it is violated. Otherwise it’s not really a MUST.

From: J.C. Jones [mailto:jjones@mozilla.com<mailto:jjones@mozilla.com>]
Sent: Friday, May 27, 2016 11:52 AM
To: Vijay Bharadwaj <vijaybh@microsoft.com<mailto:vijaybh@microsoft.com>>
Cc: Mandyam, Giridhar <mandyam@qti.qualcomm.com<mailto:mandyam@qti.qualcomm.com>>; Sampath Srinivas <samsrinivas@google.com<mailto:samsrinivas@google.com>>; Anthony Nadalin <tonynad@microsoft.com<mailto:tonynad@microsoft.com>>; public-webauthn@w3.org<mailto:public-webauthn@w3.org>
Subject: Re: 05/24/2016 WebAuthn Summary

On Fri, May 27, 2016 at 10:44 AM, Vijay Bharadwaj <vijaybh@microsoft.com<mailto:vijaybh@microsoft.com>> wrote:
The extensions are also signed over. So if the client were to drop an extension coming out of the authenticator, it might as well drop the entire signature since it’s not going to check out any more. A client might do that for egregious behaviors, but would likely be hesitant to do it.

Is it feasible to prohibit authenticators from responding with extensions whose extension identifiers weren't matched in the getAssertion?

Received on Friday, 27 May 2016 19:38:10 UTC