Re: [webauthn] Forbid authenticator data from containing plaintext PRF outputs (#2359) from Arnar Birgisson via GitHub on 2025-11-11 (public-webauthn@w3.org from November 2025)

From: Arnar Birgisson via GitHub <noreply@w3.org>
Date: Tue, 11 Nov 2025 09:00:48 +0000
To: public-webauthn@w3.org
Message-ID: <issue_comment.created-3515667704-1762851646-noreply@w3.org>

PRF is a client extension, and thus its outputs cannot be part of authenticator data. The only way for client extensions to affect authenticator data is to specify additions to client data, which the client processing procedures for PRF do not do

But it's a good point regardless, and maybe worth a clarifying note.

-- 
GitHub Notification of comment by arnar
Please view or discuss this issue at https://github.com/w3c/webauthn/issues/2359#issuecomment-3515667704 using your GitHub account


-- 
Sent via github-notify-ml as configured in https://github.com/w3c/github-notify-ml-config

Received on Tuesday, 11 November 2025 09:00:49 UTC