Re: [webauthn] Is `hmac-secret` required for `prf` for non-CTAP authenticators (#2285) from Emil Lundberg via GitHub on 2025-06-13 (public-webauthn@w3.org from June 2025)

From: Emil Lundberg via GitHub <noreply@w3.org>
Date: Fri, 13 Jun 2025 11:20:58 +0000
To: public-webauthn@w3.org
Message-ID: <issue_comment.created-2970048172-1749813655-noreply@w3.org>

Yeah, I agree that is a bit confusing. User agents indeed _could_ implement the client outputs of the [`hmac-secret` extension](https://fidoalliance.org/specs/fido-v2.2-ps-20250228/fido-client-to-authenticator-protocol-v2.2-ps-20250228.html#sctn-hmac-secret-extension), emitting the decrypted outputs as client outputs, but they SHOULD NOT since that would undermine the domain separation in the `prf` extension. Rather, user agents should implement the client-to-authenticator layer of `hmac-secret` and the client-to-RP layer of `prf`.

-- 
GitHub Notification of comment by emlun
Please view or discuss this issue at https://github.com/w3c/webauthn/issues/2285#issuecomment-2970048172 using your GitHub account


-- 
Sent via github-notify-ml as configured in https://github.com/w3c/github-notify-ml-config

Received on Friday, 13 June 2025 11:20:59 UTC