- From: Emil Lundberg via GitHub <sysbot+gh@w3.org>
- Date: Wed, 07 Aug 2024 15:43:39 +0000
- To: public-webauthn@w3.org
> This means backward compatibility was violated regardless. Not really, but I guess it depends on the definition of backwards compatibility. The way we think of it in this case is that the Web IDL should reflect the realities of the interface presented to RPs, and it therefore must also cover past versions of the spec. The limited serialization algorithm is required for L2 clients, but obviously not for L1 clients since it didn't exist in L1. But RPs are not required to use the limited verification algorithm, and if an RP wants to remain compatible with L1 clients then it of course cannot impose L2 requirements on L1 clients. Even if an RP is not willing to support L1 clients, there is no guarantee that the client is an L2 client. The reality will always be that `CollectedClientData.crossOrigin` might be undefined, so we should advertise that to the RP in the Web IDL. It is unfortunate that - as you've noticed - this interface presented to RPs is not identical to the interface to be implemented by clients, but there's nothing we can do about that now for the differences between L1 and L2. On that train of thought, though... maybe we could in L3 add a version number to the client data, which would prevent future ambiguities like this between spec versions. I'll bring that topic up with the working group. -- GitHub Notification of comment by emlun Please view or discuss this issue at https://github.com/w3c/webauthn/issues/2101#issuecomment-2273778232 using your GitHub account -- Sent via github-notify-ml as configured in https://github.com/w3c/github-notify-ml-config
Received on Wednesday, 7 August 2024 15:43:40 UTC