W3C home > Mailing lists > Public > public-webauthn@w3.org > May 2016

Re: 05/24/2016 WebAuthn Summary

From: J.C. Jones <jjones@mozilla.com>
Date: Fri, 27 May 2016 11:51:35 -0700
Message-ID: <CAObDDPAEYW-XBA==LDrnLua4rDmxh=buyDeLbutBEViSt0W+Pw@mail.gmail.com>
To: Vijay Bharadwaj <vijaybh@microsoft.com>
Cc: "Mandyam, Giridhar" <mandyam@qti.qualcomm.com>, Sampath Srinivas <samsrinivas@google.com>, Anthony Nadalin <tonynad@microsoft.com>, "public-webauthn@w3.org" <public-webauthn@w3.org>
On Fri, May 27, 2016 at 10:44 AM, Vijay Bharadwaj <vijaybh@microsoft.com>

> The extensions are also signed over. So if the client were to drop an
> extension coming out of the authenticator, it might as well drop the entire
> signature since it’s not going to check out any more. A client might do
> that for egregious behaviors, but would likely be hesitant to do it.
Is it feasible to prohibit authenticators from responding with extensions
whose extension identifiers weren't matched in the getAssertion?
Received on Friday, 27 May 2016 18:52:23 UTC

This archive was generated by hypermail 2.4.0 : Thursday, 24 March 2022 20:38:15 UTC