"Authenticator extension processing" is likely wrong

[leshi]

The description says:

As specified in §5.1 Authenticator data, the CBOR authenticator extension input value of each processed authenticator extension is included in the extensions data part of the authenticator data. This part is a CBOR map, with CBOR extension identifier values as keys, and the CBOR authenticator extension input value of each extension as the value.

I believe that's incorrect. Specifically, it talks about putting the authenticator extension input in the authenticator data, but I think it means the authenticator extension output.

Other evidence of this theory is the the contradictory statement in section 5.1 (Authenticator Data), which states that the extension field "is a CBOR [RFC7049] map with extension identifiers as keys, and authenticator extension outputs as values. See §8 WebAuthn Extensions for details."

[nadalin]

@selfissued since you went through the extensions can you review

[selfissued]

Good catch. The "authenticator data" is an output. It should say that the authenticator extension input is included in the request to the authenticator. I'll create a PR.