- From: Adam Langley via GitHub <sysbot+gh@w3.org>
- Date: Fri, 09 Feb 2018 18:01:02 +0000
- To: public-webauthn@w3.org
> Actually, authenticators don't have to deal with two versions of an extension. If the generic conversion doesn't result in a syntactically legal request, they will drop it, which is fine. So if a specific transformation is defined for an extension (that alters the structure) then the "pass through" properties of the generic transform (i.e. no need to update browsers) wouldn't work, but extensions won't want that so will either have authenticators accept both, or will avoid defining specific transforms even when it would make sense. It also gives malicious sites a larger attack surface: they can send arbitrary valid CBOR to authenticators. (I have two tokens that try to implement the much simpler CTAP1 protocol and crash when processing certain, valid commands!) > If experience shows that no browser chooses to do this between CR and the final specification, then we can drop it for final. Looking at it from the other direction, does any browser intend to implement this? As noted, I don't strongly object if there's demand, I would just go the other path. -- GitHub Notification of comment by agl Please view or discuss this issue at https://github.com/w3c/webauthn/pull/789#issuecomment-364510265 using your GitHub account
Received on Friday, 9 February 2018 18:01:19 UTC