Re: [webauthn] Consider requiring canonical CBOR throughout

Do we ever expect situations where the number of items in a structure wouldn't be known when the client or authenticator starts generating that structure, or where an integer's value might depend on something later in the output? If so, then requiring a minimum-length encoding forces extra copies of the data. See [BoringSSL's DER generator](https://boringssl.googlesource.com/boringssl/+/master/crypto/bytestring/cbb.c#221) for an example. It also doesn't seem to simplify the parser. [BoringSSL's DER parser](https://boringssl.googlesource.com/boringssl/+/master/crypto/bytestring/cbs.c#242) has extra code to check that lengths are minimal, and I don't see places that save code because of the restriction.

The other two restrictions in Canonical CBOR, that structures don't use indeterminate lengths, and that map keys are sorted, do seem like worthwhile simplifications.

-- 
GitHub Notification of comment by jyasskin
Please view or discuss this issue at https://github.com/w3c/webauthn/issues/455#issuecomment-302916028 using your GitHub account

Received on Sunday, 21 May 2017 05:24:26 UTC