You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
The security device sends us a CTAP-response that contains both the flags (AT: response contains credential data, ED: response contains extensions) and the actual data. We deserialize that into a Rust struct.
We are then serializing it again into a different format, the one webauthn requires. The way we currently do it, is to just serialize the flags as given and check if our Rust-struct contains either credential data or extensions, and serialize them, too.
That means, we trust the device to set the correct flags, instead of double-checking them (== "is the AT-flag really set, if we have credential data?"). But when we start double-checking everything the device sends us, there will be a lot of sanity check code necessary.
I therefore think we can "just trust" the device here.
The text was updated successfully, but these errors were encountered:
Regarding these TODOs:
The security device sends us a CTAP-response that contains both the flags (AT: response contains credential data, ED: response contains extensions) and the actual data. We deserialize that into a Rust struct.
We are then serializing it again into a different format, the one webauthn requires. The way we currently do it, is to just serialize the flags as given and check if our Rust-struct contains either credential data or extensions, and serialize them, too.
That means, we trust the device to set the correct flags, instead of double-checking them (== "is the AT-flag really set, if we have credential data?"). But when we start double-checking everything the device sends us, there will be a lot of sanity check code necessary.
I therefore think we can "just trust" the device here.
The text was updated successfully, but these errors were encountered: