W3C home > Mailing lists > Public > public-webauthn@w3.org > May 2016

Re: 05/24/2016 WebAuthn Summary

From: J.C. Jones <jjones@mozilla.com>
Date: Fri, 27 May 2016 11:51:35 -0700
Message-ID: <CAObDDPAEYW-XBA==LDrnLua4rDmxh=buyDeLbutBEViSt0W+Pw@mail.gmail.com>
To: Vijay Bharadwaj <vijaybh@microsoft.com>
Cc: "Mandyam, Giridhar" <mandyam@qti.qualcomm.com>, Sampath Srinivas <samsrinivas@google.com>, Anthony Nadalin <tonynad@microsoft.com>, "public-webauthn@w3.org" <public-webauthn@w3.org> 
On Fri, May 27, 2016 at 10:44 AM, Vijay Bharadwaj <vijaybh@microsoft.com>
wrote:

> The extensions are also signed over. So if the client were to drop an
> extension coming out of the authenticator, it might as well drop the entire
> signature since it’s not going to check out any more. A client might do
> that for egregious behaviors, but would likely be hesitant to do it.
>
>
Is it feasible to prohibit authenticators from responding with extensions
whose extension identifiers weren't matched in the getAssertion?
Received on Friday, 27 May 2016 18:52:23 UTC

This archive was generated by hypermail 2.4.0 : Thursday, 24 March 2022 20:38:15 UTC