- From: Emil Lundberg via GitHub <sysbot+gh@w3.org>
- Date: Fri, 18 Jan 2019 19:28:30 +0000
- To: public-webauthn@w3.org
The following commits were just pushed by emlun to https://github.com/w3c/webauthn: * Make appid extension always return true This greatly simplifies client implementation logic while leaving RP implementation arguably unaffected. The argument for the latter is as follows. The previous published version of the spec had some corner cases where the extension output could be `true` although the RP would in fact need to verify against the RP ID instead of the AppID (see commit message 776b7b14d6e8f64b101db7e92318c877c588e861). In order to work around these corner cases, the RP has to always accept the RP ID as the `rpIdHash` even if the extension output alleges that the `rpIdHash` should be the hash of the AppID instead. This means that for maximum compatibility with client implementation versions, the RP must keep this workaround behaviour even after the spec fix made in commit 776b7b14d6e8f64b101db7e92318c877c588e861. The precision of the appid extension output is therefore not very useful since it cannot be relied upon with all clients as long as at least one installation of a client with the old behaviour exists. Therefore, this commit sacrifices the improved extension output accuracy for simplified client implementation logic. by Emil Lundberg https://github.com/w3c/webauthn/commit/20f027709c7b140ecfce22ab3729d6965e49386c
Received on Friday, 18 January 2019 19:28:31 UTC