- From: philomathic_life via GitHub <sysbot+gh@w3.org>
- Date: Fri, 04 Oct 2024 20:03:50 +0000
- To: public-webauthn@w3.org
zacknewman has just created a new issue for https://github.com/w3c/webauthn: == Add cautionary note about extension data in the ceremony criteria == In #2174 it was mentioned that a cautionary note about _not_ sending PRF data to the server may be appropriate for use cases where the output is used as a decryption key that should always remain client-side. I propose adding notes to the registration and authentication ceremony sections that express something like below: > Note: Since some extension data may need to remain client-side, the [Relying Party](https://w3c.github.io/webauthn/#relying-party) MUST be prepared to remove data in _clientExtensionResults_ client-side before sending data to the server for ceremony completion. Since signatures are based on _authData_, the Relying Party MUST NOT rely on extensions whose corresponding [authenticator extension outputs](https://w3c.github.io/webauthn/#authenticator-extension-output) in the [`extensions`](https://w3c.github.io/webauthn/#authdata-extensions) in _authData_ contains data that should remain client-side when relying on the server to complete the ceremony. Should be noted that there already exist two notes about extension processing in Steps 20 and 19 of the registration and authentication ceremonies respectively; thus this does not seem out of place. By being placed in the ceremony criteria, we don't have to worry about applying disclaimers for specific extensions (e.g., PRF). Please view or discuss this issue at https://github.com/w3c/webauthn/issues/2177 using your GitHub account -- Sent via github-notify-ml as configured in https://github.com/w3c/github-notify-ml-config
Received on Friday, 4 October 2024 20:03:51 UTC