> the expectation is presumably that the hash is stable for a given ClientData This is not true. There is no such expectation. Both makeCredential and getAssertion return the actual serialized string clientDataJSON as an ArrayBuffer along with their respective signatures. This should be enough for the RP to check the signature and to verify the contents of the clientData by parsing the stringified JSON. This was done specifically to avoid canonicalization issues like this one. -- GitHub Notification of comment by vijaybh Please view or discuss this issue at https://github.com/w3c/webauthn/issues/274#issuecomment-259013878 using your GitHub accountReceived on Tuesday, 8 November 2016 01:02:42 UTC
This archive was generated by hypermail 2.4.0 : Tuesday, 5 July 2022 07:26:23 UTC