Re: extensions, continued.. (was: 05/24/2016 WebAuthn Summary from Hodges, Jeff on 2016-05-27 (public-webauthn@w3.org from May 2016)

From: Hodges, Jeff <jeff.hodges@paypal.com>
Date: Fri, 27 May 2016 19:48:16 +0000
To: Vijay Bharadwaj <vijaybh@microsoft.com>
CC: "public-webauthn@w3.org" <public-webauthn@w3.org>
Message-ID: <D36DF145.BE886%jehodges@paypalcorp.com>

On 5/27/16, 12:37 PM, "Vijay Bharadwaj" <vijaybh@microsoft.com<mailto:vijaybh@microsoft.com>> wrote:
One issue with that is that some of the extensions that are currently defined (in fact, 3 out of 5) are emitted unprompted by the authenticator. Though if we wanted to make this rule, I would be fine with it and we could add it in the spec if others agree.

Essentially the authenticator would still be allowed to ignore requested extensions, just not add new ones on its own.

We paypal object to obviating existing extensions.


 From: J.C. Jones [mailto:jjones@mozilla.com]
Sent: Friday, May 27, 2016 12:33 PM
That's how you'd enforce it: if the authenticator doesn't obey the contract, the signature won't be valid when the RP checks it.
Roughly the contract would be: Authenticators will only emit extensions they were prompted to emit.

Received on Friday, 27 May 2016 19:48:46 UTC