- From: Emil Lundberg via GitHub <noreply@w3.org>
- Date: Wed, 04 Jun 2025 12:52:55 +0000
- To: public-webauthn@w3.org
> > **Client extension processing ([registration](https://pr-preview.s3.amazonaws.com/w3c/webauthn/pull/2298.html#registration-extension))** > > > > 1. If [`evalByCredential`](https://pr-preview.s3.amazonaws.com/w3c/webauthn/pull/2298.html#dom-authenticationextensionsprfinputs-evalbycredential) is present, return a [`DOMException`](https://webidl.spec.whatwg.org/#idl-DOMException) whose name is “[`NotSupportedError`](https://webidl.spec.whatwg.org/#notsupportederror)”. > > VVVVVV Nope. Only applies to CTAP authenticators. This is incorrect - regardless of implementation backend, an `evalByCredential` argument during registration is nonsensical since the credential ID by definition cannot be known at that time. Its presence is therefore almost certainly a mistake on the RP's part, and we should fail early to help them catch that. The rest are fair points. I will say that the `prf` extension _is_ very `hmac-secret` centric by design, because it is expressly designed to interoperate with `hmac-secret`. But I did consider splitting it up into two separate implementation sections, so fair enough. I didn't want to make that big a change, but I suppose getting it done in L3 is better than later since this is new in L3. Thanks especially for mentioning `hmac-secret-mc`! I was faintly aware of it but hadn't thought to update PRF to include it; that'll also be good to have done in L3. -- GitHub Notification of comment by emlun Please view or discuss this issue at https://github.com/w3c/webauthn/pull/2298#issuecomment-2939929797 using your GitHub account -- Sent via github-notify-ml as configured in https://github.com/w3c/github-notify-ml-config
Received on Wednesday, 4 June 2025 12:52:56 UTC