W3C home > Mailing lists > Public > public-webauthn@w3.org > August 2019

[webauthn] Browsers adding extensions. (#1287)

From: John Bradley via GitHub <sysbot+gh@w3.org>
Date: Tue, 27 Aug 2019 09:39:54 +0000
To: public-webauthn@w3.org
Message-ID: <issues.opened-485700510-1566898793-sysbot+gh@w3.org>
ve7jtb has just created a new issue for https://github.com/w3c/webauthn:

== Browsers adding extensions. ==
We currently have one browser adding the CredProtect extension set to level 2 if the RP doesn't specify a level.

While that may be reasonable at some level, RP are required by WebAuthn to reject registrations with extensions that the RP didn't ask for in step 12.

https://www.w3.org/TR/webauthn/#registering-a-new-credential

The workaround is having all RP specify Credprotect explicitly.  That is probably not ideal.
We could beck off the requirement to reject.  As long as the RP knows the extension it is perhaps OK for it to accept it.

I suspect that clients adding extensions on the users behalf will not be that unusual going forward.

John B.




Please view or discuss this issue at https://github.com/w3c/webauthn/issues/1287 using your GitHub account
Received on Tuesday, 27 August 2019 09:39:56 UTC

This archive was generated by hypermail 2.4.0 : Friday, 17 January 2020 18:59:06 UTC