Re: [webauthn] agl doesn't understand extensions

I agree that binding the extension inputs isn't consistent with how we bind other inputs. I'd lean towards the previous attacker model that a compromised origin context isn't something we defend against.

Also agree authenticator inputs don't make sense. The authenticator outputs are the signed-over statements made by authenticators and should provide sufficient data to the RP to verify whatever the extension is to provide.

This part in the spec seems confusing as well:

> Likewise, the client extension outputs are represented as a dictionary in the result of getClientExtensionResults() with extension identifiers as keys, and the client extension output value of each extension as the value. Like the client extension input, the client extension output is a value that can be encoded in JSON.

> Extensions that require authenticator processing MUST define the process by which the client extension input can be used to determine the CBOR authenticator extension input and the process by which the CBOR authenticator extension output can be used to determine the client extension output.

Extensions can involve *both* client and authenticator processing. Client extension outputs should only depend on the former, and not authenticator outputs which are fully independent. Client outputs should be fully defined before authenticator is invoked. This also means there is no ambiguity that client outputs are JSON, and authenticator outputs are CBOR.

Originally, the client outputs were represented as additions to the clientData, which meant that the origin context was not able to alter them on the way out. I'm still unclear if that will still be the case just by changing getClientExtensionResults form a callable to a field? I believe not.

-- 
GitHub Notification of comment by arnar
Please view or discuss this issue at https://github.com/w3c/webauthn/issues/803#issuecomment-366338141 using your GitHub account

Received on Friday, 16 February 2018 19:40:49 UTC