- From: GitHub <noreply@github.com>
- Date: Fri, 18 Jan 2019 11:28:29 -0800
- To: public-webauthn@w3.org
- Message-ID: <5c4228dd64c90_ff32af6cd07457484294@hookshot-fe-6e9b612.cp1-iad.github.net.mail>
Branch: refs/heads/issue-1034-delete-appid-extension-output
Home: https://github.com/w3c/webauthn
Commit: 20f027709c7b140ecfce22ab3729d6965e49386c
https://github.com/w3c/webauthn/commit/20f027709c7b140ecfce22ab3729d6965e49386c
Author: Emil Lundberg <emil@yubico.com>
Date: 2019-01-18 (Fri, 18 Jan 2019)
Changed paths:
M index.bs
Log Message:
-----------
Make appid extension always return true
This greatly simplifies client implementation logic while leaving RP
implementation arguably unaffected. The argument for the latter is as
follows.
The previous published version of the spec had some corner cases where
the extension output could be `true` although the RP would in fact need
to verify against the RP ID instead of the AppID (see commit message
776b7b14d6e8f64b101db7e92318c877c588e861). In order to work around these
corner cases, the RP has to always accept the RP ID as the `rpIdHash`
even if the extension output alleges that the `rpIdHash` should be the
hash of the AppID instead.
This means that for maximum compatibility with client implementation
versions, the RP must keep this workaround behaviour even after the spec
fix made in commit 776b7b14d6e8f64b101db7e92318c877c588e861. The
precision of the appid extension output is therefore not very useful
since it cannot be relied upon with all clients as long as at least one
installation of a client with the old behaviour exists.
Therefore, this commit sacrifices the improved extension output accuracy
for simplified client implementation logic.
**NOTE:** This service has been marked for deprecation: https://developer.github.com/changes/2018-04-25-github-services-deprecation/
Functionality will be removed from GitHub.com on January 31st, 2019.
Received on Friday, 18 January 2019 19:29:11 UTC