Re: [webauthn] Clearly define the way how RP handles the extensions (#1258) from Emil Lundberg via GitHub on 2019-10-08 (public-webauthn@w3.org from October 2019)

From: Emil Lundberg via GitHub <sysbot+gh@w3.org>
Date: Tue, 08 Oct 2019 11:24:47 +0000
To: public-webauthn@w3.org
Message-ID: <issue_comment.created-539469065-1570533886-sysbot+gh@w3.org>

Sorry for the delay. Yes, for the extensions where the client extension outputs forwards the authenticator extension outputs, I'd say the authenticator extension outputs in the signed AuthData should be preferred over the unsigned client extension outputs. For extensions where the client extension output and authenticator extension output are different (`appid`, `authnSel`, `biometricPerfBounds`, `credProps`), the RP should inspect both (none of those extensions have authenticator extension output, but future extensions might).

-- 
GitHub Notification of comment by emlun
Please view or discuss this issue at https://github.com/w3c/webauthn/issues/1258#issuecomment-539469065 using your GitHub account

Received on Tuesday, 8 October 2019 11:24:48 UTC