- From: philomathic_life via GitHub <sysbot+gh@w3.org>
- Date: Wed, 02 Oct 2024 21:18:59 +0000
- To: public-webauthn@w3.org
Yeah, it's a tough call. Normally no distinction is made between client and server RP operations; however this is one exception (for password managers at least) where it's important to _not_ follow the ceremony criteria where one "blindly" sends `getClientExtensionResults`. Like you said, there are other use cases of PRF that may want the info to be sent to the server. > Maybe the right way to go is to just call out the client-side-only use case in the description of [`AuthenticationExtensionsPRFOutputs.results`](https://w3c.github.io/webauthn/#dom-authenticationextensionsprfoutputs-results), and warn to not accidentally send them back to the server if that is undesired for the use case. That's where I am leaning too: a brief cautionary note that mentions one may want to omit this information when sending `getClientExtensionResults` to the server when the server should not have this sensitive data. -- GitHub Notification of comment by zacknewman Please view or discuss this issue at https://github.com/w3c/webauthn/pull/2174#issuecomment-2389714033 using your GitHub account -- Sent via github-notify-ml as configured in https://github.com/w3c/github-notify-ml-config
Received on Wednesday, 2 October 2024 21:19:01 UTC