Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Add cautionary note about extension data in the ceremony criteria #2177

Closed
zacknewman opened this issue Oct 4, 2024 · 0 comments · Fixed by #2183
Closed

Add cautionary note about extension data in the ceremony criteria #2177

zacknewman opened this issue Oct 4, 2024 · 0 comments · Fixed by #2183

Comments

@zacknewman
Copy link
Contributor

In #2174 it was mentioned that a cautionary note about not sending PRF data to the server may be appropriate for use cases where the output is used as a decryption key that should always remain client-side. I propose adding notes to the registration and authentication ceremony sections that express something like below:

Note: Since some extension data may need to remain client-side, the Relying Party MUST be prepared to remove data in clientExtensionResults client-side before sending data to the server for ceremony completion. Since signatures are based on authData, the Relying Party MUST NOT rely on extensions whose corresponding authenticator extension outputs in the extensions in authData contains data that should remain client-side when relying on the server to complete the ceremony.

Should be noted that there already exist two notes about extension processing in Steps 20 and 19 of the registration and authentication ceremonies respectively; thus this does not seem out of place. By being placed in the ceremony criteria, we don't have to worry about applying disclaimers for specific extensions (e.g., PRF).

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
1 participant