Merge pull request #2183 from w3c/issue-2178-prf-warning

Add warning about sending PRF outputs to server
w3c · Oct 29, 2024 · 406ec42 · 406ec42
2 parents 3c506d4 + 8c6827e
commit 406ec42
Showing 1 changed file with 9 additions and 0 deletions.
diff --git a/index.bs b/index.bs
@@ -7535,6 +7535,15 @@ Note: this extension may be implemented for [=authenticators=] that do not use [
 
         :   <dfn>results</dfn>
         ::  The results of evaluating the PRF for the inputs given in {{AuthenticationExtensionsPRFInputs/eval}} or {{AuthenticationExtensionsPRFInputs/evalByCredential}}. Outputs may not be available during [=registration=]; see comments in {{AuthenticationExtensionsPRFInputs/eval}}.
+
+            Advisement:
+            For some use cases, for example if PRF outputs are used to derive encryption keys to use only on the client side,
+            it may be necessary to omit this {{AuthenticationExtensionsPRFOutputs/results}} output
+            if the {{PublicKeyCredential}} is sent to a remote server,
+            for example to perform the procedures in [[#sctn-rp-operations]].
+            Note in particular that the {{RegistrationResponseJSON}} and {{AuthenticationResponseJSON}}
+            returned by <code>{{PublicKeyCredential}}.{{PublicKeyCredential/toJSON()}}</code>
+            will include this {{AuthenticationExtensionsPRFOutputs/results}} output if present.
     </div>