As a client, how would you enforce this other than by dropping the signature on the floor?
In general, every time you put in a MUST into a protocol or other spec, you need to say what the consequences are if it is violated. Otherwise it’s not really a MUST.
From: J.C. Jones [mailto:jjones@mozilla.com]
Sent: Friday, May 27, 2016 11:52 AM
To: Vijay Bharadwaj <vijaybh@microsoft.com>
Cc: Mandyam, Giridhar <mandyam@qti.qualcomm.com>; Sampath Srinivas <samsrinivas@google.com>; Anthony Nadalin <tonynad@microsoft.com>; public-webauthn@w3.org
Subject: Re: 05/24/2016 WebAuthn Summary
On Fri, May 27, 2016 at 10:44 AM, Vijay Bharadwaj <vijaybh@microsoft.com<mailto:vijaybh@microsoft.com>> wrote:
The extensions are also signed over. So if the client were to drop an extension coming out of the authenticator, it might as well drop the entire signature since it’s not going to check out any more. A client might do that for egregious behaviors, but would likely be hesitant to do it.
Is it feasible to prohibit authenticators from responding with extensions whose extension identifiers weren't matched in the getAssertion?