- From: My1 via GitHub <noreply@w3.org>
- Date: Wed, 08 Oct 2025 09:11:06 +0000
- To: public-webauthn@w3.org
My1 has just created a new issue for https://github.com/w3c/webauthn: == Same PRF regardless of UV? == Is there a specific reason the document defines that > Let PRF be a pseudo-random function whose outputs are exactly 32 bytes long, selected uniformly at random from a set of at least 2^256 such functions. **The choice of PRF MUST be independent of the state of user verification**. The selected PRF SHOULD NOT be used for other purposes than implementing this extension. Associate PRF with the current credential for the lifetime of the credential. it seems like an easy way to gain the PRF's output from a short contact with the authenticator, solely by having the credential ID, which is near-public anyway as they are given out by the RP solely by knowledge of a user identtifier for said RP, and the input (given out by the RP to actually do the authentication anyway) considering PRF outputs are supposed to be used for en/decrypting data potentially present on a device already, I'd say this would significantly weaken the assurances you can give a PRF. Please view or discuss this issue at https://github.com/w3c/webauthn/issues/2337 using your GitHub account -- Sent via github-notify-ml as configured in https://github.com/w3c/github-notify-ml-config
Received on Wednesday, 8 October 2025 09:11:07 UTC