W3C home > Mailing lists > Public > public-webauthn@w3.org > October 2019

Re: [webauthn] Clearly define the way how RP handles the extensions (#1258)

From: Emil Lundberg via GitHub <sysbot+gh@w3.org>
Date: Tue, 08 Oct 2019 11:24:47 +0000
To: public-webauthn@w3.org
Message-ID: <issue_comment.created-539469065-1570533886-sysbot+gh@w3.org>
Sorry for the delay. Yes, for the extensions where the client extension outputs forwards the authenticator extension outputs, I'd say the authenticator extension outputs in the signed AuthData should be preferred over the unsigned client extension outputs. For extensions where the client extension output and authenticator extension output are different (`appid`, `authnSel`, `biometricPerfBounds`, `credProps`), the RP should inspect both (none of those extensions have authenticator extension output, but future extensions might).

-- 
GitHub Notification of comment by emlun
Please view or discuss this issue at https://github.com/w3c/webauthn/issues/1258#issuecomment-539469065 using your GitHub account
Received on Tuesday, 8 October 2019 11:24:48 UTC

This archive was generated by hypermail 2.4.0 : Friday, 17 January 2020 18:59:07 UTC