W3C home > Mailing lists > Public > public-webauthn@w3.org > January 2022

Re: [webauthn] Backup state of credentials (#1692)

From: Emil Lundberg via GitHub <sysbot+gh@w3.org>
Date: Tue, 25 Jan 2022 22:49:15 +0000
To: public-webauthn@w3.org
Message-ID: <issue_comment.created-1021681330-1643150953-sysbot+gh@w3.org>
Haven't we already changed so extensions may now be unsolicited, motivated by `credProps`? In L2 we have this in [ยง7.1. Registering a New Credential](https://www.w3.org/TR/2021/REC-webauthn-2-20210408/#ref-for-client-platform%E2%91%A3%E2%91%A0):

>Note: Client platforms MAY enact local policy that sets additional authenticator extensions or client extensions and thus cause values to appear in the authenticator extension outputs or client extension outputs that were not originally specified as part of `options.extensions`. Relying Parties MUST be prepared to handle such situations, whether it be to ignore the unsolicited extensions or reject the attestation. The Relying Party can make this decision based on local policy and the extensions in use.

But I agree the flags should be tamper-protected, so either authenticator flags or an authenticator extension.

-- 
GitHub Notification of comment by emlun
Please view or discuss this issue at https://github.com/w3c/webauthn/issues/1692#issuecomment-1021681330 using your GitHub account


-- 
Sent via github-notify-ml as configured in https://github.com/w3c/github-notify-ml-config
Received on Tuesday, 25 January 2022 22:49:16 UTC

This archive was generated by hypermail 2.4.0 : Tuesday, 5 July 2022 07:26:45 UTC