- From: Felix Magedanz via GitHub <sysbot+gh@w3.org>
- Date: Mon, 11 Mar 2024 10:23:16 +0000
- To: public-webauthn@w3.org
> Maybe one more comment from my side after extensive reading on this subject (apologies, but I am fascinated that a challenge-response protocol does not allow sending the challenge to the authenticator in plain form, or at least augment it with custom data). > > From what I understood, one of the reasons why web browser vendors did not implement `txAuthSimple` extension was that they did not want to display data provided by the relying party (web page) in the browser UI. We can live without this - no need to display anything. This is why we added a display to our authenticator. The user can only see the challenge data / associated data in the authenticator - we are OK with this. We just need a way to sneak structured data to the authenticator. > > I still think the best way to do this is not to destroy the challenge object by hashing it, but having an extension that works the best effort is enough. I agree that it would be a good first step to simply hand over tx data to authenticators and enable scenarios where dedicated hardware authenticators with display capabilities can be used. Ultimately, we should aim for platform support, as this will have a much bigger impact. From what I remember, there were concerns about tx data formatting and encoding, which need to be handled in secure context where you'd want as little of such complexity as possible. So the challenge is to define a format that is comprehensive enough for a user to understand what they are signing off, but simple enough for the platform providers' implementation teams to follow.  -- GitHub Notification of comment by FlxMgdnz Please view or discuss this issue at https://github.com/w3c/webauthn/pull/2020#issuecomment-1988074224 using your GitHub account -- Sent via github-notify-ml as configured in https://github.com/w3c/github-notify-ml-config
Received on Monday, 11 March 2024 10:23:17 UTC