- From: Joshua Zhao via GitHub <noreply@w3.org>
- Date: Tue, 19 Aug 2025 19:06:23 +0000
- To: public-webauthn@w3.org
Thank @emlun for sharing the background behind this issue! Very helpful for someone like me who is familiar with WebAuthn in general but not so much in its detailed history. I agree that permanently relying on extensions to modify the protocol behavior leads to fragmentation, which should not be encouraged. However, I see at least two legitimate uses of authenticator-only extensions. One, enterprises may use their own custom extensions with their own authenticators for their unique needs. The other, extensions are utilized to experiment with protocol enhancements before they are accepted into the main specification. Without such a pass-through property on intermediaries, it's impossible to run any such experiments, which is detrimental to evolve the protocol forward quickly. I can understand that client browser vendors may not be so interested in supporting such a pass-through. However, a specification should spell out the best-practice behaviors of all participants in the system rather than merely collective wishes of existing players. This is for the long-term success of the protocol, which is the goal of all participants, I suppose. Unless we are content with the protocol being bogged down in supporting the most basic usage cases by small tweaks to the protocol, we must enable more experimentation. The extension mechanism is the powerful tool for this purpose. Finally, I am surprised to learn that the utility method fromJSON was part of the reason for dropping pass-through processing. Isn't this in the implementation realm? While protocol design should take implementation easiness into consideration, letting implementation determine how the protocol should be specified sounds very backward to me. Simply separating the extensions into two parts, client and authenticator-only, should side-step the conflict with the utility method, even if we wish to use such a utility. Unless I am missing something here, it shouldn't be an issue as long as we do not mix the two types of extensions. Passkeys in the context of WebAuthn is a great step in the right direction. I really wish this would have its rightful impact in the real world. I strongly suggest that we reconsider the necessity of the pass-through processing on clients. -- GitHub Notification of comment by joshzhao Please view or discuss this issue at https://github.com/w3c/webauthn/issues/2331#issuecomment-3201902756 using your GitHub account -- Sent via github-notify-ml as configured in https://github.com/w3c/github-notify-ml-config
Received on Tuesday, 19 August 2025 19:06:24 UTC