Re: [webauthn] Add test vectors for PRF extension (#2174) from philomathic_life via GitHub on 2024-10-01 (public-webauthn@w3.org from October 2024)

From: philomathic_life via GitHub <sysbot+gh@w3.org>
Date: Tue, 01 Oct 2024 23:16:56 +0000
To: public-webauthn@w3.org
Message-ID: <issue_comment.created-2387246526-1727824613-sysbot+gh@w3.org>

Do you think it makes sense to add something about the client _not_ sending this data to the server? Admittedly my experience with PRF is related to password managers. The server must never know your "password", or in this case the symmetric encryption key; therefore it's essential that the client does not send `results`. `hmac-secret` is encrypted, so the fact that gets sent to the server is not a problem.

-- 
GitHub Notification of comment by zacknewman
Please view or discuss this issue at https://github.com/w3c/webauthn/pull/2174#issuecomment-2387246526 using your GitHub account


-- 
Sent via github-notify-ml as configured in https://github.com/w3c/github-notify-ml-config

Received on Tuesday, 1 October 2024 23:16:57 UTC