What does unsigned mean in regards to "unsigned extension outputs"

69 views
Skip to first unread message

Robert Hartman

unread,
Sep 13, 2023, 9:03:03 AM9/13/23
to FIDO Dev (fido-dev)
The Level 3 Editor's Draft of the WebAuthn specification 

The specifications state that these extension outputs are generated by an authenticator.  

What does "Unsigned" mean in the context of Extension Outputs?
What is a use case for this feature?
Is there a list of supported "unsigned" extensions being added to specifications?

Thank you 


Adam Langley

unread,
Sep 14, 2023, 9:40:31 AM9/14/23
to FIDO Dev (fido-dev), Robert Hartman
On Wednesday, September 13, 2023 at 6:03:03 AM UTC-7 Robert Hartman wrote:
The Level 3 Editor's Draft of the WebAuthn specification 

The specifications state that these extension outputs are generated by an authenticator.  

What does "Unsigned" mean in the context of Extension Outputs?

These extension outputs are not covered by the signature over the authenticatorData.
 
What is a use case for this feature?

Extensions that produce signatures over the authenticatorData themselves, otherwise a signature has to sign itself (which isn't possible).

Also extensions that produce results that should not be sent to the server, e.g. the prf extension at the CTAP2 level.
 
Is there a list of supported "unsigned" extensions being added to specifications?

Reply all
Reply to author
Forward
0 new messages