W3C home > Mailing lists > Public > public-webauthn@w3.org > January 2019

[webauthn] new commits pushed by emlun

From: Emil Lundberg via GitHub <sysbot+gh@w3.org>
Date: Fri, 18 Jan 2019 19:28:30 +0000
To: public-webauthn@w3.org
Message-ID: <push-20f027709c7b140ecfce22ab3729d6965e49386c-1547839709-sysbot+gh@w3.org>

The following commits were just pushed by emlun to https://github.com/w3c/webauthn:

* Make appid extension always return true

This greatly simplifies client implementation logic while leaving RP
implementation arguably unaffected. The argument for the latter is as
follows.

The previous published version of the spec had some corner cases where
the extension output could be `true` although the RP would in fact need
to verify against the RP ID instead of the AppID (see commit message
776b7b14d6e8f64b101db7e92318c877c588e861). In order to work around these
corner cases, the RP has to always accept the RP ID as the `rpIdHash`
even if the extension output alleges that the `rpIdHash` should be the
hash of the AppID instead.

This means that for maximum compatibility with client implementation
versions, the RP must keep this workaround behaviour even after the spec
fix made in commit 776b7b14d6e8f64b101db7e92318c877c588e861. The
precision of the appid extension output is therefore not very useful
since it cannot be relied upon with all clients as long as at least one
installation of a client with the old behaviour exists.

Therefore, this commit sacrifices the improved extension output accuracy
for simplified client implementation logic.
  by Emil Lundberg
https://github.com/w3c/webauthn/commit/20f027709c7b140ecfce22ab3729d6965e49386c
Received on Friday, 18 January 2019 19:28:31 UTC

This archive was generated by hypermail 2.4.0 : Tuesday, 5 July 2022 07:26:36 UTC