Re: [webauthn] Emphasise that the CollectedClientData can be extended.

> Should we add the same note to the other interfaces sent back to the RP (PublicKeyCredential, AuthenticatorAttestationResponse and AuthenticatorAssertionResponse)? 

I don't think that we need to in those cases. Those values are not JSON that needs to be parsed, but Javascript objects. It is possible for Javascript to enumerate the set of attributes in them using the `for (attr in obj)` syntax, but one would have to go out of the way to do it. On the other hand, the JSON must be parsed to be usable and checking it against a template rather than parsing is something that seems quite plausible. Thus I think this only really applies to JSON (and similar cases).

The CBOR structures, however, are candidates. However, they don't seem quite so worrying. (Famous last words.) The extensions should only reflect extensions that the RP has requested and the credential public key is likewise negotiated with the RP via the `pubKeyCredParams`.

GitHub Notification of comment by agl
Please view or discuss this issue at using your GitHub account

Received on Wednesday, 14 March 2018 16:09:22 UTC