- From: Hodges, Jeff <jeff.hodges@paypal.com>
- Date: Fri, 27 May 2016 19:48:16 +0000
- To: Vijay Bharadwaj <vijaybh@microsoft.com>
- CC: "public-webauthn@w3.org" <public-webauthn@w3.org>
Received on Friday, 27 May 2016 19:48:46 UTC
On 5/27/16, 12:37 PM, "Vijay Bharadwaj" <vijaybh@microsoft.com<mailto:vijaybh@microsoft.com>> wrote: One issue with that is that some of the extensions that are currently defined (in fact, 3 out of 5) are emitted unprompted by the authenticator. Though if we wanted to make this rule, I would be fine with it and we could add it in the spec if others agree. Essentially the authenticator would still be allowed to ignore requested extensions, just not add new ones on its own. We paypal object to obviating existing extensions. From: J.C. Jones [mailto:jjones@mozilla.com] Sent: Friday, May 27, 2016 12:33 PM That's how you'd enforce it: if the authenticator doesn't obey the contract, the signature won't be valid when the RP checks it. Roughly the contract would be: Authenticators will only emit extensions they were prompted to emit.
Received on Friday, 27 May 2016 19:48:46 UTC