Re: [webauthn] Consider allowing authenticators to randomise signed hashes.

@agl At the end of the day, the WebAuthn spec is a web spec and should only define the web interface. Defining an extension involves defining a web interface and a set of authenticator operation. If there's an ask to add a new extension, both the UA and the underlying authenticators need to accept the ask. If the ask here requires change to the authenticator interface, the ask should start from there. 

Which layer to start the ask from can be confusing given that there is a couple of extensions that only require web interface change. For example, the FIDO AppId extension will only require web interface addition since the authenticator protocol (U2F) already defined the AppId interface. The Generic Transaction Authorization Extension only requires the UA to show additional texts in authentication prompt so there's no need to go down to the authenticator layer. 


-- 
GitHub Notification of comment by AngeloKai
Please view or discuss this issue at https://github.com/w3c/webauthn/issues/453#issuecomment-327255706 using your GitHub account

Received on Tuesday, 5 September 2017 17:58:51 UTC