[webauthn] Clarify uses of ClientData from gmandyam via GitHub on 2016-09-17 (public-webauthn@w3.org from September 2016)

From: gmandyam via GitHub <sysbot+gh@w3.org>
Date: Sat, 17 Sep 2016 13:53:47 +0000
To: public-webauthn@w3.org
Message-ID: <issues.opened-177577760-1474120425-sysbot+gh@w3.org>

gmandyam has just created a new issue for 
https://github.com/w3c/webauthn:

== Clarify uses of ClientData ==
As per https://w3c.github.io/webauthn/#sec-client-data,

"The client data represents the contextual bindings of both the 
Relying Party and the client platform."  This implies that 
authenticator contextual bindings are not included in the ClientData.
  Moreover, all dictionary entries listed in this section (challenge, 
rpId, etc.) do not represent values that are set by the authenticator.

Yet ihttps://w3c.github.io/webauthn/#sec-android-attestation-signature
 defines platform-specific extensions to ClientData that are 
authenticator specific, which implies a contextual binding of the 
authenticator.

My suggestion is to prohibit such platform-specific extensions to 
ClientData.  

Please view or discuss this issue at 
https://github.com/w3c/webauthn/issues/209 using your GitHub account

Received on Saturday, 17 September 2016 13:54:05 UTC