[webauthn] Clarify when an extension may be ignored by user agent

gmandyam has just created a new issue for 
https://github.com/w3c/webauthn:

== Clarify when an extension may be ignored by user agent ==
There does not seem to be any reason for a web authn. client to block 
an inbound or outbound extension that is supported by the 
authenticator and does not require any client processing.  Last 
paragraph in 5 does not make this clear.

Recommend following text:

"All WebAuthn extensions are optional for both clients and 
authenticators. Thus, any extensions requested by a WebAuthn Relying 
Party may be ignored by the client browser or OS (if client processing
 is required for the extension) and not passed to the authenticator at
 all, or they may be ignored by the authenticator. However, an 
extension that is supported by an authenticator that does not require 
client processing should be passed to the authenticator.  Ignoring an 
extension is never considered a failure in the WebAuthn API, so when 
WebAuthn Relying Parties include extensions with any API calls, they 
must be prepared to handle cases where some or all of those extensions
 are ignored."

Please view or discuss this issue at 
https://github.com/w3c/webauthn/issues/97 using your GitHub account

Received on Friday, 13 May 2016 07:18:19 UTC