[webauthn] agl doesn't understand extensions from Adam Langley via GitHub on 2018-02-15 (public-webauthn@w3.org from February 2018)

From: Adam Langley via GitHub <sysbot+gh@w3.org>
Date: Thu, 15 Feb 2018 01:40:13 +0000
To: public-webauthn@w3.org
Message-ID: <issues.opened-297305269-1518658812-sysbot+gh@w3.org>

agl has just created a new issue for https://github.com/w3c/webauthn:

== agl doesn't understand extensions ==
(This is just a request for clarification to @selfissued, but I'm writing it as an issue in case it ends up being helpful for others to see it.)

In the course of implementing the `appid` extension, I hit a few points where my understanding is deficient:

Why are the client inputs contained in the [CollectedClientData](https://w3c.github.io/webauthn/#sec-client-data)? I see that the RP could learn from this which extensions the client supports but, if so, a) why also [echo a boolean](https://w3c.github.io/webauthn/#sctn-appid-extension) to indicate this in `appid` and b) why echo the full input when a boolean would do? (Echoing the full input value is a pain because we're unmarshaling them from Javascript but then have to marshal internal structures back to JSON for this.)

Is the RP expected to verify that its inputs were faithfully reflected? The [instructions say](https://w3c.github.io/webauthn/#registering-a-new-credential) (step 7) to do a subset check, which could imply checking the full value, but it says the same thing about the `authenticatorExtensions`, and the RP can't check the value of those. (Unless it's supposed to verify the client's translation to CBOR? If so, why?)

Even if the RP does verify the extension fields in the CollectedClientData, that doesn't mean that the client passed those exact values to the authenticator [via CTAP2](https://fidoalliance.org/specs/fido-v2.0-rd-20170927/fido-client-to-authenticator-protocol-v2.0-rd-20170927.html#authenticatorGetAssertion) so I'm unclear why the RP should bother.

In a similar vein, why are the authenticator inputs included in the [CollectedClientData](https://w3c.github.io/webauthn/#sec-client-data) too?

On the way back out, step 18.3 of [these instructions](https://w3c.github.io/webauthn/#discover-from-external-source) says that [[clientExtensionsResults]] is an &ldquo;ArrayBuffer &hellip; containing the bytes of assertionCreationData.clientExtensionResults&rdquo;. But the latter is a [AuthenticationExtensionsClientOutputs](https://w3c.github.io/webauthn/#dictdef-authenticationextensionsclientoutputs) so how is that turned into a bytestring?

Lastly, why is `getClientExtensionResults` [a function](https://w3c.github.io/webauthn/#iface-pkcredential) and not simply a member of the `PublicKeyCredential` with type `AuthenticationExtensionsClientOutputs`? That seems uniquely out of place in this API.

Thank you for any clarity you can provide.

Please view or discuss this issue at https://github.com/w3c/webauthn/issues/803 using your GitHub account

Received on Thursday, 15 February 2018 01:40:17 UTC