Add note about possible sensitive data in extensions #2178
Conversation
There was a problem hiding this comment.
Thanks, but I don't think this quite hits the mark. The approach suggested in #2174 (comment) and seemingly agreed in #2174 (comment) was rather to call this out in the definition of the results output of the PRF extension. The approach here has a couple of problems in my opinion:
- This instead adds the warning to the RP Operations processing steps; at that point of processing it is likely too late as the data has usually already been sent to the server and these steps are run on the server side.
- I don't think the generalization to "[any] extension data [that] may need to remain client-side" seems all that useful, especially since this avoids pointing out PRF as the one (currently) relevant example. Similarly, the "[=[RP]=] MUST NOT rely on extensions [...]" part doesn't really seem actionable and rather sounds to me like such an extension is ill-specified.
- As noted in Are notes in webauthn normative or informative? #1979 we shouldn't have normative language ("MUST" etc.) in notes. Admittedly we have a lot of them already, but we shouldn't add more.
I therefore propose PR #2183 to supersede this.
|
The reason I phrased this more generally was regarding your point about other use cases of PRF that don't require
I generalized even further to apply to any extension. As I stepped back from the issue, I was starting to think I was partial in my worry seeing how I'm only familiar with PRF in the context of password managers. Seemingly any extension could be used for any purpose; therefore one should always be careful about what data is sent back to the server based on their use case. Sure one example is PRF in the context of password managers, but what's to stop an RP from using another extension? If you want to apply this disclaimer on a case-by-case basis, then I suppose that's OK. |
Closes #2177.
Preview | Diff