[webauthn] Define extension client processing more carefully. from Jeffrey Yasskin via GitHub on 2017-02-24 (public-webauthn@w3.org from February 2017)

From: Jeffrey Yasskin via GitHub <sysbot+gh@w3.org>
Date: Fri, 24 Feb 2017 23:18:06 +0000
To: public-webauthn@w3.org
Message-ID: <issues.opened-210183702-1487978285-sysbot+gh@w3.org>

jyasskin has just created a new issue for 
https://github.com/w3c/webauthn:

== Define extension client processing more carefully. ==
#347 defines the "client processing" term for use in 
`makeCredential()` and `getAssertion()`, but it doesn't yet define an 
input and output format for the data, and it doesn't fix up the actual
 client processing definitions to have defined output. For example, 
https://w3c.github.io/webauthn/#extension-txauth refers to "default 
forwarding of client argument to authenticator argument.", but nothing
 has defined that default forwarding.

In that definition, I'm tempted to use [canonical 
CBOR](https://tools.ietf.org/html/rfc7049#section-3.9) (since 
arbitrary CBOR is likely to increase parsing difficulty, which will 
cause vulnerabilities in authenticators), but:
1. We'll need some more details defined locally, like double vs float 
format, to make it actually canonical. 
2. Not all JS objects can be serialized at all. We'll probably want to
 conceptually go through JSON.stringify in order to get a 
deterministic result for those.

Please view or discuss this issue at 
https://github.com/w3c/webauthn/issues/363 using your GitHub account

Received on Friday, 24 February 2017 23:18:13 UTC