Re: [webauthn] Extensions need to define how their parameters convert to/from CBOR

Those specifications are pretty useless, sorry.   The first example I came to: https://w3c.github.io/webauthn/#sctn-simple-txauth-extension says:

> The client extension input encoded as a CBOR text string (major type 3).

What does that mean?  The input is an ES Value, right?  Is https://tc39.github.io/ecma262/#sec-tostring used?  Something else?  If it's ToString, that can have side-effects, so the exact timing of the operation needs to be defined.

Then once you've got an ES String, you have a sequence of 16-bit integers.  "major type 3" in RFC 7049 is a string of "Unicode characters encoded as UTF-8".  Is the sequence of 16-bit integers meant to be treated as UTF-16?  If so, how are invalid codepoints handled?  All of this needs to be specified and it's not.

And this is the simplest case.  Cases like https://w3c.github.io/webauthn/#sctn-generic-txauth-extension are completely unspecified in terms of how one goes from an ES Value to something that can be encoded in CBOR.  And this is all observable, because there are side-effects everywhere, because ES.

-- 
GitHub Notification of comment by bzbarsky
Please view or discuss this issue at https://github.com/w3c/webauthn/issues/626#issuecomment-335930727 using your GitHub account

Received on Wednesday, 11 October 2017 20:01:39 UTC