On Fri, May 27, 2016 at 10:44 AM, Vijay Bharadwaj <vijaybh@microsoft.com> wrote: > The extensions are also signed over. So if the client were to drop an > extension coming out of the authenticator, it might as well drop the entire > signature since it’s not going to check out any more. A client might do > that for egregious behaviors, but would likely be hesitant to do it. > > Is it feasible to prohibit authenticators from responding with extensions whose extension identifiers weren't matched in the getAssertion?Received on Friday, 27 May 2016 18:52:23 UTC
This archive was generated by hypermail 2.4.0 : Thursday, 24 March 2022 20:38:15 UTC