Re: [webauthn] explain challenge's security importance and use in both registration and authentication operations

Did y'all consider requiring the value to be a base64-encoded `DOMString`, and doing the decoding/bufferizing as part of the `makeCredential` and `getAssertion` algorithms? `base64` seems like a sufficient hurdle that folks wouldn't generate it themselves client-side, and they wouldn't have to come back to the spec to look up how to convert a string into an `ArrayBuffer`. I know I would have had to look that up...

-- 
GitHub Notification of comment by mikewest
Please view or discuss this issue at https://github.com/w3c/webauthn/issues/404#issuecomment-294277336 using your GitHub account

Received on Saturday, 15 April 2017 07:17:05 UTC