[webauthn] Pull Request: Make appid extension always return true

emlun has just submitted a new pull request for https://github.com/w3c/webauthn:

== Make appid extension always return true ==
This is an extension to PR #1143 and would merge into that.

I expect this might be a controversial proposal which might be closed with no action. Below is the motivation for it, which is also included as a commit message.


This greatly simplifies client implementation logic while leaving RP implementation arguably unaffected. The argument for the latter is as follows.

The [PropRec version of the spec][proprec] has some corner cases where the extension output could be `true` although the RP would in fact need to verify against the RP ID instead of the AppID (see issue #1034 and commit message 776b7b14d6e8f64b101db7e92318c877c588e861). In order to work around these corner cases, the RP has to always accept the RP ID as the `rpIdHash` even if the extension output alleges that the `rpIdHash` should be the hash of the AppID instead.

This means that for maximum compatibility with client implementation versions, the RP must keep this workaround behaviour even after the spec fix made in commit 776b7b14d6e8f64b101db7e92318c877c588e861. The precision of the appid extension output is therefore not very useful since it cannot be relied upon with all clients as long as at least one installation of a client with the old behaviour exists.

Therefore, this PR sacrifices the improved extension output accuracy for simplified client implementation logic.

[proprec]: https://www.w3.org/TR/2019/PR-webauthn-20190117/#sctn-appid-extension

See https://github.com/w3c/webauthn/pull/1144

Received on Friday, 18 January 2019 19:38:37 UTC