[webauthn] I don't understand how to create a ClientData in makeCredential from Boris Zbarsky via GitHub on 2016-11-04 (public-webauthn@w3.org from November 2016)

From: Boris Zbarsky via GitHub <sysbot+gh@w3.org>
Date: Fri, 04 Nov 2016 20:50:40 +0000
To: public-webauthn@w3.org
Message-ID: <issues.opened-187435184-1478292639-sysbot+gh@w3.org>

bzbarsky has just created a new issue for 
https://github.com/w3c/webauthn:

== I don't understand how to create a ClientData in makeCredential ==
https://w3c.github.io/webauthn/#dom-webauthentication-makecredential 
step 8 says:

> Use attestationChallenge, callerOrigin and rpId, along with the 
token binding key associated with callerOrigin (if any), to create a 
ClientData structure representing this request. Choose a hash 
algorithm for hashAlg and compute the clientDataJSON and 
clientDataHash.

ClientData is defined to be a dictionary like so:

    dictionary ClientData {
      required DOMString           challenge;
      required DOMString           origin;
      required AlgorithmIdentifier hashAlg;
      DOMString                    tokenBinding;
      WebAuthnExtensions           extensions;
  };

Alright.  So how do I go about creating one?  

1. I guess I should fill in "challenge" from "attestationChallenge"?  
But "attestationChallenge" is a BufferSource, while "challenge" is a 
DOMString.  How is the DOMString generated from the BufferSource?
2. I guess I should fill in "origin" from "callerOrigin", but the 
former is a DOMString while the latter is an origin; in this case a 
tuple.  How is the DOMString generated?
3. Where in here is rpId used?
4. This is the first mention of a "token binding key" in this 
algorithm.  What is that, and how does one find out whether there is 
one associated with `callerOrigin`?
5. It's not clear to me what "Choose a hash algorithm for hashAlg" 
means in practice.  hashAlg can be either a string or an ES object.  
Which one is it expected to be in this case?  If it's expected to be 
an ES object, then we have a problem because then we need to define 
exactly what "JSON serialization" means for it...
6.  Is "extensions" supposed to be set to anything?  At first glance, 
no, since it's not in the set of data the spec says to use to create 
the ClientData.  But I expect that's a spec bug?



Please view or discuss this issue at 
https://github.com/w3c/webauthn/issues/273 using your GitHub account

Received on Friday, 4 November 2016 20:50:46 UTC