[webauthn] Browsers adding extensions. (#1287)

ve7jtb has just created a new issue for https://github.com/w3c/webauthn:

== Browsers adding extensions. ==
We currently have one browser adding the CredProtect extension set to level 2 if the RP doesn't specify a level.

While that may be reasonable at some level, RP are required by WebAuthn to reject registrations with extensions that the RP didn't ask for in step 12.

https://www.w3.org/TR/webauthn/#registering-a-new-credential

The workaround is having all RP specify Credprotect explicitly.  That is probably not ideal.
We could beck off the requirement to reject.  As long as the RP knows the extension it is perhaps OK for it to accept it.

I suspect that clients adding extensions on the users behalf will not be that unusual going forward.

John B.




Please view or discuss this issue at https://github.com/w3c/webauthn/issues/1287 using your GitHub account

Received on Tuesday, 27 August 2019 09:39:56 UTC