Re: [webauthn] Backup state of credentials (#1692)

> We changed level 2 to allow unsolicited.
> That is not to say that there won't be a pile of existing RP's with code that might be based on Level 1 that might reject assertions with unknown extensions.

AFAIK are already long-broken via the (relatively popular) combination of authenticators which support `credProps` and browsers which mandate its use if available. 

I would be more inclined to reserve these bits for mandatory-to-understand extensions as well as changes to the structure of authenticator data.

Bits are also very hard to change the meaning of once (beta) implementations have shipped or to otherwise semantically version. A `backupState` extension can change structure or even be replaced with an extension with a new name.

GitHub Notification of comment by dwaite
Please view or discuss this issue at using your GitHub account

Sent via github-notify-ml as configured in

Received on Thursday, 27 January 2022 22:18:00 UTC