- From: Eric Stern via GitHub <sysbot+gh@w3.org>
- Date: Fri, 04 Oct 2024 18:12:09 +0000
- To: public-webauthn@w3.org
> A harsh rebuttal would be that any RP that "accidentally" sends sensitive data is likely not qualified to do whatever it is they are trying to do (e.g., password manager). I agree, but that doesn't tend to stop it in practice. Mistakes happen. > I think there are other reasons one may want to remove certain data from toJSON anyway. [...] Indeed! However, once you go down that path, you can rapidly end up at a point where you're doing enough customization to the format that you're better off not bothering with `toJSON` at all and manually assembling the parts of the format you _do_ want (as you have to do in practice today). Which is in no way to suggest that your approach is wrong or invalid, but I want to keep in mind the common-case usage of that API. If there's a chance to avoid a pretty major security footgun before that API has widespread support, it's probably wise to do so. Maybe my concerns are overstated. I suspect that most parties will ignore the extension entirely, and (as you suggest) it'll probably only get used by RPs that actually do need it and would understand the security implications. In any case, the addition of test vectors for this looks great and I'm excited to see them added. Maybe it'd be better to spin this aspect off into a separate issue? -- GitHub Notification of comment by Firehed Please view or discuss this issue at https://github.com/w3c/webauthn/pull/2174#issuecomment-2394313050 using your GitHub account -- Sent via github-notify-ml as configured in https://github.com/w3c/github-notify-ml-config
Received on Friday, 4 October 2024 18:12:10 UTC