- From: Arnar Birgisson via GitHub <noreply@w3.org>
- Date: Wed, 12 Nov 2025 03:11:04 +0000
- To: public-webauthn@w3.org
> Nothing forbids data from client extensions from being added into authenticator data. I would argue that an implementation cannot include any (authenticator) extension output fields that are not defined by the extension definition in the spec. Since the prf extension is a client-only extension, it by definition doesn't have any authenticator extension outputs. You are right that bugs like the one in iOS GPM are possible, but I'd not say they are compliant with the spec. I can see how this might be debatable, and given the stakes here I do agree it's worth adding your proposed note. It could even be stronger with a dedicated paragraph after the note you cited, e.g.: _Since a key intended use of PRF is for end-to-end encryption, implementations must ensure that PRF outputs are only represented in the client extension outputs, so that they can be withheld from the RP's own servers. In particular the PRF extension does not specify any additions to client data nor authenticator data, as these must be sent to RP servers._ -- GitHub Notification of comment by arnar Please view or discuss this issue at https://github.com/w3c/webauthn/issues/2359#issuecomment-3519701210 using your GitHub account -- Sent via github-notify-ml as configured in https://github.com/w3c/github-notify-ml-config
Received on Wednesday, 12 November 2025 03:11:04 UTC