Re: [webauthn] Consider requiring canonical CBOR throughout

I believe the complexity of the protocol is because of _what_ we serialize, not _how_ we serialize it.

That said, I am going to withdraw my objection to canonical cbor. I will solve in-place generation in a different way. Indefinite encoding of strings would allow things like fragmenting map keys and that is just plain expensive and unhelpful. Adding our own set of restrictions will just create confusion, as will different requirements in different directions.

However, if we are adding this, I believe we must require every implementation to enforce it. If we don't, compatibility between two implementations might become inconsistent.

As an aside, I believe the WebAuthn ecosystem will be more of an oligarchy. There will be only a handful platform implementations and their implementations will become the defacto standard, bugs included. Their quality and adherence to the spec will be a main factor in the success of this protocol.

-- 
GitHub Notification of comment by jovasco
Please view or discuss this issue at https://github.com/w3c/webauthn/issues/455#issuecomment-326953595 using your GitHub account

Received on Monday, 4 September 2017 12:41:26 UTC