- From: Emil Lundberg via GitHub <sysbot+gh@w3.org>
- Date: Wed, 02 Oct 2024 21:05:13 +0000
- To: public-webauthn@w3.org
> Do you think it makes sense to add something about the client _not_ sending this data to the server? >[...] >Is it "obvious" that the client should not send this data seeing how if the server had this info it's now at best devolved into a shared secret? Hm. I wanted to say that yes, this should be obvious enough in the use cases where this is relevant, and that there are other use cases where you actually do want to send the PRF outputs to the server. But we do since recently have this step in both [§7.1. Registering a New Credential](https://w3c.github.io/webauthn/#sctn-registering-a-new-credential) and [§7.2. Verifying an Authentication Assertion](https://w3c.github.io/webauthn/#sctn-verifying-assertion): >4. Let _clientExtensionResults_ be the result of calling _credential_.[`getClientExtensionResults()`](https://w3c.github.io/webauthn/#dom-publickeycredential-getclientextensionresults). which perhaps complicates the matter a bit. The Relying Party Operations sections also don't really make a distinction between client-side and server-side parts of the RP, rather treating both as one entity, so it also doesn't seem quite appropriate to simply add something simple like ", omitting any properties that should not be sent to the server" either. Maybe the right way to go is to just call out the client-side-only use case in the description of [`AuthenticationExtensionsPRFOutputs.results`](https://w3c.github.io/webauthn/#dom-authenticationextensionsprfoutputs-results), and warn to not accidentally send them back to the server if that is undesired for the use case. -- GitHub Notification of comment by emlun Please view or discuss this issue at https://github.com/w3c/webauthn/pull/2174#issuecomment-2389695303 using your GitHub account -- Sent via github-notify-ml as configured in https://github.com/w3c/github-notify-ml-config
Received on Wednesday, 2 October 2024 21:05:14 UTC