[webauthn] Consider requiring canonical CBOR throughout

agl has just created a new issue for https://github.com/w3c/webauthn:

== Consider requiring canonical CBOR throughout ==
[Canonical CBOR](https://tools.ietf.org/html/rfc7049#section-3.9) is a distinguished subset of CBOR encodings, and is specified in the original RFC. Most CBOR implementations will produce something close to canonical CBOR most of the time but, by requiring it, implementations can avoid decoder complexity. This might be especially valuable for authenticators, as they are constrained and need to parse CBOR if they are to handle extensions.

Without this, implementations are very likely to implement an ill-defined subset of CBOR anyway (e.g. by rejecting lengths with superfluous zeros and so on) and this will result in arguments whenever something produces valid (but non-canonical) CBOR that is rejected by some existing implementations. If this discovery happens late in the development of an implementation, it can be quite costly.

Conversely, if canonical CBOR is required, a single common implementation that is strict will ensure that the whole ecosystem remains healthy and interoperable on this point.

Lastly, the ordering requirements of canonical CBOR make it easy to reject maps with duplicate keys. Although that doesn't appear to be pertinent to the current webauthn spec, it's a classic way to cause confusion between two parsers (and thus security issues) and could arise in future extensions.

Please view or discuss this issue at https://github.com/w3c/webauthn/issues/455 using your GitHub account

Received on Monday, 8 May 2017 00:04:07 UTC