[webauthn] Must returned extensions be mathematically proper subsets of requested extensions? from Emil Lundberg via GitHub on 2017-08-31 (public-webauthn@w3.org from August 2017)

From: Emil Lundberg via GitHub <sysbot+gh@w3.org>
Date: Thu, 31 Aug 2017 18:30:45 +0000
To: public-webauthn@w3.org
Message-ID: <issues.opened-254427639-1504204238-sysbot+gh@w3.org>

emlun has just created a new issue for https://github.com/w3c/webauthn:

== Must returned extensions be mathematically proper subsets of requested extensions? ==
Step 5 of [§ 6.1. Registering a new credential][reg] and step 7 of [§ 6.2. Verifying an authentication assertion][ass] both read (with minor editorial differences):

>5. Verify that the `clientExtensions` in _C_ is a proper subset of the extensions requested by the RP and that the `authenticatorExtensions` in _C_ is also a proper subset of the extensions requested by the RP.

In mathematics, a _proper subset_ is [necessarily not equal to its superset][wolfram]. This doesn't seem right here, however. For example if the RP requests exactly one extension, this requirement would require the client to always ignore that one extension.

Is this the intended result, or should the "proper" qualification be dropped?

[reg]: https://www.w3.org/TR/webauthn/#registering-a-new-credential
[ass]: https://www.w3.org/TR/webauthn/#verifying-assertion
[wolfram]: http://mathworld.wolfram.com/ProperSubset.html

Please view or discuss this issue at https://github.com/w3c/webauthn/issues/541 using your GitHub account

Received on Thursday, 31 August 2017 18:30:42 UTC