Re: [webauthn] Possibility of client-only implementation of authenticator extensions? from David Waite via GitHub on 2018-05-17 (public-webauthn@w3.org from May 2018)

From: David Waite via GitHub <sysbot+gh@w3.org>
Date: Thu, 17 May 2018 07:20:55 +0000
To: public-webauthn@w3.org
Message-ID: <issue_comment.created-389769738-1526541654-sysbot+gh@w3.org>

> It's true that this doesn't have the same integrity protection, but to compromise the latter you do need to compromise the origin, which is usually not in our attacker model.

I'm wondering for a server representation of a public key credential, whether client extensions (outside possible collectedClientData additions) should be represented at all. These seem inappropriate for making security decisions, and better suited for business logic/presentation at the origin.

-- 
GitHub Notification of comment by dwaite
Please view or discuss this issue at https://github.com/w3c/webauthn/issues/912#issuecomment-389769738 using your GitHub account

Received on Thursday, 17 May 2018 07:20:59 UTC