Re: 05/24/2016 WebAuthn Summary from J.C. Jones on 2016-05-27 (public-webauthn@w3.org from May 2016)

From: J.C. Jones <jjones@mozilla.com>
Date: Fri, 27 May 2016 11:51:35 -0700
To: Vijay Bharadwaj <vijaybh@microsoft.com>
Cc: "Mandyam, Giridhar" <mandyam@qti.qualcomm.com>, Sampath Srinivas <samsrinivas@google.com>, Anthony Nadalin <tonynad@microsoft.com>, "public-webauthn@w3.org" <public-webauthn@w3.org>
Message-ID: <CAObDDPAEYW-XBA==LDrnLua4rDmxh=buyDeLbutBEViSt0W+Pw@mail.gmail.com>

On Fri, May 27, 2016 at 10:44 AM, Vijay Bharadwaj <vijaybh@microsoft.com>
wrote:

> The extensions are also signed over. So if the client were to drop an
> extension coming out of the authenticator, it might as well drop the entire
> signature since it’s not going to check out any more. A client might do
> that for egregious behaviors, but would likely be hesitant to do it.
>
>
Is it feasible to prohibit authenticators from responding with extensions
whose extension identifiers weren't matched in the getAssertion?

Received on Friday, 27 May 2016 18:52:23 UTC