regarding "opaque pass-thru extensions" from jeff.hodges@kingsmountain.com on 2016-05-25 (public-webauthn@w3.org from May 2016)

From: <jeff.hodges@kingsmountain.com>
Date: Tue, 24 May 2016 19:37:40 -0600
To: Giridhar Mandyam <mandyam@qti.qualcomm.com>, Vijay Bharadwaj <vijaybh@microsoft.com>
Cc: W3C WebAuthn WG <public-webauthn@w3.org>
Message-ID: <20160524193740.Horde.w6SwECpjLr37UAtcwG0o0zd@box514.bluehost.com>

[ please disregard (and delete) prior empty msg with the same subject  
line as this msg, sorry, thx ]

For sake of discussion, let's call the sort of extension you Giri mention in..

   https://github.com/w3c/webauthn/issues/98

.."opaque pass-thru extensions".

The text of the #98 is..

   An RP may send opaque data to an authenticator via an extension
   that requires no client processing. This should be a pre-registered
   extension type and would be passed directly to the authenticator from
   the client.

I assume by "pre-registered" you mean "pre-defined".  In any case, I  
note in reading the spec - https://w3c.github.io/webauthn/ - that the  
above use case seems to be presently addressed per the present  
editors' copy of the spec...

   https://github.com/w3c/webauthn/issues/98#issuecomment-221449654

   Does this last paragraph of the current section 5  
{#extension-request-parameters} address this use case?

   "For extensions that specify additional authenticator processing only, it
   is desirable that the platform need not know the extension. To
   support this, platforms SHOULD pass the client argument of unknown
   extension as the
   authenticator argument unchanged, under the same extension identifier. The
   authenticator argument should be the CBOR encoding of the client  
argument, as
   specified in Section 4.2 of [RFC7049]. Clients SHOULD silently drop unknown
   extensions whose client argument cannot be encoded as a CBOR structure."


HTH,

=JeffH

Received on Wednesday, 25 May 2016 01:38:17 UTC