Re: extensions, continued.. (was: 05/24/2016 WebAuthn Summary

On 5/27/16, 12:50 PM, "Vijay Bharadwaj" <vijaybh@microsoft.com<mailto:vijaybh@microsoft.com>> wrote:

You mean you object to allowing the client a say in which extensions are emitted? We're not talking about removing any existing extensions, just about clearly defining the circumstances under which an authenticator might emit them.

Yes, we would object to altering the present design that allows for authenticators to implement and emit extensions of their own volition, as pesently specified (c.f., AAGUID extension, SupportedExtensions extension, User Verification Index (UVI) extension).  We feel it is a subtle-but-important aspect of fostering the overall ecosystem.

This entire thread has become quite frayed... having a concrete extension proposal on the table may help it coalesce -- I suggest that Giri write up the postulated "opaque data" extension using the framework that's presently defined in the spec and then hopefully we can more objectively assess it.

HTH,

=JeffH




From: Hodges, Jeff [mailto:jeff.hodges@paypal.com]
Sent: Friday, May 27, 2016 12:48 PM
To: Vijay Bharadwaj <vijaybh@microsoft.com<mailto:vijaybh@microsoft.com>>
Cc: public-webauthn@w3.org<mailto:public-webauthn@w3.org>
Subject: Re: extensions, continued.. (was: 05/24/2016 WebAuthn Summary

On 5/27/16, 12:37 PM, "Vijay Bharadwaj" <vijaybh@microsoft.com<mailto:vijaybh@microsoft.com>> wrote:
One issue with that is that some of the extensions that are currently defined (in fact, 3 out of 5) are emitted unprompted by the authenticator. Though if we wanted to make this rule, I would be fine with it and we could add it in the spec if others agree.

Essentially the authenticator would still be allowed to ignore requested extensions, just not add new ones on its own.

We paypal object to obviating existing extensions.


 From: J.C. Jones [mailto:jjones@mozilla.com]
Sent: Friday, May 27, 2016 12:33 PM
That's how you'd enforce it: if the authenticator doesn't obey the contract, the signature won't be valid when the RP checks it.
Roughly the contract would be: Authenticators will only emit extensions they were prompted to emit.

Received on Friday, 27 May 2016 20:06:46 UTC