Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Add note about possible sensitive data in extensions #2178

Closed

Conversation

zacknewman
Copy link
Contributor

@zacknewman zacknewman commented Oct 4, 2024

Closes #2177.


Preview | Diff

Copy link
Member

@emlun emlun left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks, but I don't think this quite hits the mark. The approach suggested in #2174 (comment) and seemingly agreed in #2174 (comment) was rather to call this out in the definition of the results output of the PRF extension. The approach here has a couple of problems in my opinion:

  • This instead adds the warning to the RP Operations processing steps; at that point of processing it is likely too late as the data has usually already been sent to the server and these steps are run on the server side.
  • I don't think the generalization to "[any] extension data [that] may need to remain client-side" seems all that useful, especially since this avoids pointing out PRF as the one (currently) relevant example. Similarly, the "[=[RP]=] MUST NOT rely on extensions [...]" part doesn't really seem actionable and rather sounds to me like such an extension is ill-specified.
  • As noted in Are notes in webauthn normative or informative? #1979 we shouldn't have normative language ("MUST" etc.) in notes. Admittedly we have a lot of them already, but we shouldn't add more.

I therefore propose PR #2183 to supersede this.

@zacknewman
Copy link
Contributor Author

The reason I phrased this more generally was regarding your point about other use cases of PRF that don't require results to remain client-side:

Hm. I wanted to say that yes, this should be obvious enough in the use cases where this is relevant, and that there are other use cases where you actually do want to send the PRF outputs to the server.

I generalized even further to apply to any extension. As I stepped back from the issue, I was starting to think I was partial in my worry seeing how I'm only familiar with PRF in the context of password managers. Seemingly any extension could be used for any purpose; therefore one should always be careful about what data is sent back to the server based on their use case. Sure one example is PRF in the context of password managers, but what's to stop an RP from using another extension?

If you want to apply this disclaimer on a case-by-case basis, then I suppose that's OK.

@zacknewman zacknewman closed this Oct 7, 2024
@zacknewman zacknewman deleted the Cautionary-note-about-extensions branch October 7, 2024 14:52
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

Add cautionary note about extension data in the ceremony criteria
2 participants