- From: Emil Lundberg via GitHub <sysbot+gh@w3.org>
- Date: Fri, 16 Feb 2018 12:14:13 +0000
- To: public-webauthn@w3.org
>This cryptographically binds these input values to the request. Who is the binding for? If we assume the RP trusts the authenticator but not the client, there's actually no guarantee to the RP that those authnr ext inputs are what was actually sent to the authenticator (unless their values can be verified using the corresponding authnr ext outputs, of course). For that the authehticator would need to sign over the _extensions_ parameter to the authenticator ops (and possibly also return it?), but the signature currently only includes the authnr ext **out**puts. For the client exts I suppose we need to assume the RP also trusts the client, so it seems reasonable to include the client ext inputs in the `CollectedClientData`. But then on the other hand there is no cryptographic proof of the integrity of the client ext outputs. For that the client ext outputs would also need to be included in the `CollectedClientData`. -- GitHub Notification of comment by emlun Please view or discuss this issue at https://github.com/w3c/webauthn/issues/803#issuecomment-366220324 using your GitHub account
Received on Friday, 16 February 2018 12:14:16 UTC