Re: [webauthn] Variable reference issue in DPK processing rules (#1817) from Michael B. Jones via GitHub on 2022-12-15 (public-webauthn@w3.org from December 2022)

From: Michael B. Jones via GitHub <sysbot+gh@w3.org>
Date: Thu, 15 Dec 2022 15:41:45 +0000
To: public-webauthn@w3.org
Message-ID: <issue_comment.created-1353290162-1671118903-sysbot+gh@w3.org>

As discussed in the 14-Dec-22 working group call, it doesn't make security sense to fields from the signed authenticator extension output to the client extension output in an unsigned form.  I suggest that when the extension is supported and used, that the client extension output simply be `true` - indicating that the extension was used and the values in the authenticator extension output should be used.

-- 
GitHub Notification of comment by selfissued
Please view or discuss this issue at https://github.com/w3c/webauthn/issues/1817#issuecomment-1353290162 using your GitHub account


-- 
Sent via github-notify-ml as configured in https://github.com/w3c/github-notify-ml-config

Received on Thursday, 15 December 2022 15:41:46 UTC