RE: extensions, continued.. (was: 05/24/2016 WebAuthn Summary

Would you explain?

You mean you object to allowing the client a say in which extensions are emitted? We're not talking about removing any existing extensions, just about clearly defining the circumstances under which an authenticator might emit them.

From: Hodges, Jeff [mailto:jeff.hodges@paypal.com]
Sent: Friday, May 27, 2016 12:48 PM
To: Vijay Bharadwaj <vijaybh@microsoft.com>
Cc: public-webauthn@w3.org
Subject: Re: extensions, continued.. (was: 05/24/2016 WebAuthn Summary

On 5/27/16, 12:37 PM, "Vijay Bharadwaj" <vijaybh@microsoft.com<mailto:vijaybh@microsoft.com>> wrote:
One issue with that is that some of the extensions that are currently defined (in fact, 3 out of 5) are emitted unprompted by the authenticator. Though if we wanted to make this rule, I would be fine with it and we could add it in the spec if others agree.

Essentially the authenticator would still be allowed to ignore requested extensions, just not add new ones on its own.

We paypal object to obviating existing extensions.


 From: J.C. Jones [mailto:jjones@mozilla.com]
Sent: Friday, May 27, 2016 12:33 PM
That's how you'd enforce it: if the authenticator doesn't obey the contract, the signature won't be valid when the RP checks it.
Roughly the contract would be: Authenticators will only emit extensions they were prompted to emit.

Received on Friday, 27 May 2016 19:51:56 UTC