- From: philomathic_life via GitHub <noreply@w3.org>
- Date: Tue, 11 Nov 2025 14:13:12 +0000
- To: public-webauthn@w3.org
> PRF is a client extension, and thus its outputs cannot be part of authenticator data. According to what source? The spec is intentionally vague in how non-CTAP authenticators are to function when PRF is used for maximum flexibility in implementation. The fact that GPM did embed an authenticator extension called `prf` is proof that the spec doesn't forbid it or at least that it should be explicitly spelled out. Again, it wasn't an issue since GPM was only including the PRF _inputs_ (in addition to the PRF client output key `enabled`). The fact that one must be careful when sending the PRF client extension to the server (e.g., via `PublicKeyCredential.toJSON`) since PRF can be used in a way where the outputs are sent to the server has me worried that authenticator data may contain similar sensitive data since apparently sending the PRF outputs to the server is acceptable. -- GitHub Notification of comment by zacknewman Please view or discuss this issue at https://github.com/w3c/webauthn/issues/2359#issuecomment-3517115803 using your GitHub account -- Sent via github-notify-ml as configured in https://github.com/w3c/github-notify-ml-config
Received on Tuesday, 11 November 2025 14:13:13 UTC