Merge pull request #2012 from w3c/uxo

Expand upon the definition of "unsigned extension outputs"
w3c · Jan 24, 2024 · 73b3562 · 73b3562
2 parents 82db709 + 8f8c7ea
commit 73b3562
Showing 1 changed file with 3 additions and 1 deletion.
diff --git a/index.bs b/index.bs
@@ -6498,7 +6498,9 @@ and the corresponding value is the <dfn>authenticator extension output</dfn> for
 
 <dfn>Unsigned extension outputs</dfn> are represented independently from [=authenticator data=] and returned by authenticators
 as a separate map, keyed with the same [=extension identifier=]. This map only contains entries for authenticator
-extensions that make use of unsigned outputs.
+extensions that make use of unsigned outputs. Unsigned outputs are useful when extensions output a signature over
+the [=authenticator data=] (because otherwise a signature would have to sign over itself, which isn't possible) or when
+some extension outputs should not be sent to the [=[RP]=].
 
 Note: In [[!FIDO-CTAP]] [=unsigned extension outputs=] are returned as a CBOR map in a top-level field named
 `unsignedExtensionOutputs` from both [=authenticatorMakeCredential=] and [=authenticatorGetAssertion=].