Closed gmandyam closed 8 years ago
Does this last paragraph of the current section 5 {#extension-request-parameters} address this use case?
For extensions that specify additional authenticator processing only, it is desirable that the platform
need not know the extension. To support this, platforms SHOULD pass the client argument of
unknown extension as the authenticator argument unchanged, under the same extension identifier.
The authenticator argument should be the CBOR encoding of the client argument, as specified in
Section 4.2 of [RFC7049]. Clients SHOULD silently drop unknown extensions whose client argument
cannot be encoded as a CBOR structure.
shall we close this issue?
Closing issue. Note that as long as we do not put normative requirements on how UVI is generated by an authenticator, it is for all intents and purposes an opaque data extension.
An RP may send opaque data to an authenticator via an extension that requires no client processing. This should be a pre-registered extension type and would be passed directly to the authenticator from the client.