robin-nitrokey
commented
11 months ago Unfortunately there is no clear rule for that (at least from my understanding), see also the discussion in: https://github.com/Nitrokey/fido-authenticator/issues/6
But it is de facto required both by the Google test suite and the Chrome implementation.
Instead of sending an empty CBOR map as a response, we now always send an empty response. Previously, we had this as a special case for the ClientPin response, but we need it for LargeBlobs too. So a generic implementation makes more sense and is easier to maintain.