- From: philomathic_life via GitHub <sysbot+gh@w3.org>
- Date: Mon, 07 Oct 2024 14:49:33 +0000
- To: public-webauthn@w3.org
The reason I phrased this more generally was regarding your point about other use cases of PRF that don't require `results` to remain client-side: > Hm. I wanted to say that yes, this should be obvious enough in the use cases where this is relevant, and that there are other use cases where you actually do want to send the PRF outputs to the server. I generalized even further to apply to any extension. As I stepped back from the issue, I was starting to think I was partial in my worry seeing how I'm only familiar with PRF in the context of password managers. Seemingly any extension could be used for any purpose; therefore one should always be careful about what data is sent back to the server based on their use case. Sure one example is PRF in the context of password managers, but what's to stop an RP from using another extension? If you want to apply this disclaimer on a case-by-case basis, then I suppose that's OK. -- GitHub Notification of comment by zacknewman Please view or discuss this issue at https://github.com/w3c/webauthn/pull/2178#issuecomment-2397148420 using your GitHub account -- Sent via github-notify-ml as configured in https://github.com/w3c/github-notify-ml-config
Received on Monday, 7 October 2024 14:49:34 UTC