[webauthn] Clarify how RP should verify extension outputs from Emil Lundberg via GitHub on 2018-02-16 (public-webauthn@w3.org from February 2018)

From: Emil Lundberg via GitHub <sysbot+gh@w3.org>
Date: Fri, 16 Feb 2018 17:40:53 +0000
To: public-webauthn@w3.org
Message-ID: <issues.opened-297865648-1518802846-sysbot+gh@w3.org>

emlun has just created a new issue for https://github.com/w3c/webauthn:

== Clarify how RP should verify extension outputs ==
@agl [notes][comment] in #803:

>The instructions say only that the RP should check that the echoed extensions are a subset, but it's unclear if that means that the values must be identical, esp in light of the fact that the RP is also instructed to check that the [authenticator extensions](https://w3c.github.io/webauthn/#dom-collectedclientdata-authenticatorextensions) are a subset, where it cannot check the values. If values aren't checked, a compromised origin context can still manipulate the contents of an extension.

I suggest we should

- clarify what exactly (extension IDs? values? etc) should be a subset of what;
- add a step to the RP operations instructing vaguely to verify that the extension outputs "are as expected".

I intend to self-assign this when the repo is unlocked.

[comment]: https://github.com/w3c/webauthn/issues/803#issuecomment-366296231

Please view or discuss this issue at https://github.com/w3c/webauthn/issues/804 using your GitHub account

Received on Friday, 16 February 2018 17:40:55 UTC