From 46a3d5e91c0b6a471d86f439f09e45985c52dc8c Mon Sep 17 00:00:00 2001 From: Adam Langley Date: Tue, 9 Jan 2024 15:45:55 -0800 Subject: [PATCH 1/2] Expand upon the definition of "unsigned extension outputs" Fixes #1964 --- index.bs | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/index.bs b/index.bs index bcd25ceb2..9a8d0ba58 100644 --- a/index.bs +++ b/index.bs @@ -6571,7 +6571,9 @@ and the corresponding value is the authenticator extension output for Unsigned extension outputs are represented independently from [=authenticator data=] and returned by authenticators as a separate map, keyed with the same [=extension identifier=]. This map only contains entries for authenticator -extensions that make use of unsigned outputs. +extensions that make use of unsigned outputs. Unsigned outputs are useful when extensions output a signature over +the [=authenticator data=] (because otherwise a signature would have to sign over itself, which isn't possible) or when +the extension outputs should not be sent to the RP. Note: In [[!FIDO-CTAP]] [=unsigned extension outputs=] are returned as a CBOR map in a top-level field named `unsignedExtensionOutputs` from both [=authenticatorMakeCredential=] and [=authenticatorGetAssertion=]. From 8f8c7ea95e294d3d37db5fa0a832f7d3e1e920b7 Mon Sep 17 00:00:00 2001 From: Adam Langley Date: Wed, 10 Jan 2024 12:30:13 -0800 Subject: [PATCH 2/2] Apply suggestion. Co-authored-by: Emil Lundberg --- index.bs | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/index.bs b/index.bs index 9a8d0ba58..a0d1f4fe1 100644 --- a/index.bs +++ b/index.bs @@ -6573,7 +6573,7 @@ and the corresponding value is the authenticator extension output for as a separate map, keyed with the same [=extension identifier=]. This map only contains entries for authenticator extensions that make use of unsigned outputs. Unsigned outputs are useful when extensions output a signature over the [=authenticator data=] (because otherwise a signature would have to sign over itself, which isn't possible) or when -the extension outputs should not be sent to the RP. +some extension outputs should not be sent to the [=[RP]=]. Note: In [[!FIDO-CTAP]] [=unsigned extension outputs=] are returned as a CBOR map in a top-level field named `unsignedExtensionOutputs` from both [=authenticatorMakeCredential=] and [=authenticatorGetAssertion=].