W3C home > Mailing lists > Public > public-webauthn@w3.org > September 2016

[webauthn] Clarify uses of ClientData

From: gmandyam via GitHub <sysbot+gh@w3.org>
Date: Sat, 17 Sep 2016 13:53:47 +0000
To: public-webauthn@w3.org
Message-ID: <issues.opened-177577760-1474120425-sysbot+gh@w3.org>
gmandyam has just created a new issue for 
https://github.com/w3c/webauthn:

== Clarify uses of ClientData ==
As per https://w3c.github.io/webauthn/#sec-client-data,

"The client data represents the contextual bindings of both the 
Relying Party and the client platform."  This implies that 
authenticator contextual bindings are not included in the ClientData.
  Moreover, all dictionary entries listed in this section (challenge, 
rpId, etc.) do not represent values that are set by the authenticator.

Yet ihttps://w3c.github.io/webauthn/#sec-android-attestation-signature
 defines platform-specific extensions to ClientData that are 
authenticator specific, which implies a contextual binding of the 
authenticator.

My suggestion is to prohibit such platform-specific extensions to 
ClientData.  

Please view or discuss this issue at 
https://github.com/w3c/webauthn/issues/209 using your GitHub account
Received on Saturday, 17 September 2016 13:54:05 UTC

This archive was generated by hypermail 2.4.0 : Tuesday, 5 July 2022 07:26:22 UTC