W3C home > Mailing lists > Public > public-webauthn@w3.org > June 2022

Re: [webauthn] Drop generic client extension processing? (#1730)

From: Emil Lundberg via GitHub <sysbot+gh@w3.org>
Date: Thu, 09 Jun 2022 17:23:49 +0000
To: public-webauthn@w3.org
Message-ID: <issue_comment.created-1151399824-1654795427-sysbot+gh@w3.org>
> Except because [`credProps`] is not signed you can't use it to trust that an rk was created because the client can lie and tamper with that meaning you can't use it to assert that a usernameless or 2fa only flow can be used ....
> If it's not meant to be proof of anything, why does it exist, and use language that makes it sound like a proof? It's fully misleading and RP's will absolutely incorrectly rely on this value.

It exists in part because CTAP2 doesn't have a way to signal whether the created credential is discoverable or not, so the best effort we can manage for those existing authenticators is to have the client report what parameter it sent to the authenticator. If the client lies about the `credProps` output, it will only harm the user that the client is supposed to be working for, which is why it is deemed acceptable that the output is unsigned.

GitHub Notification of comment by emlun
Please view or discuss this issue at https://github.com/w3c/webauthn/issues/1730#issuecomment-1151399824 using your GitHub account

Sent via github-notify-ml as configured in https://github.com/w3c/github-notify-ml-config
Received on Thursday, 9 June 2022 17:23:50 UTC

This archive was generated by hypermail 2.4.0 : Tuesday, 5 July 2022 07:26:46 UTC