W3C home > Mailing lists > Public > public-webauthn@w3.org > September 2017

Re: [webauthn] Consider requiring canonical CBOR throughout

From: Mike Jones via GitHub <sysbot+gh@w3.org>
Date: Mon, 11 Sep 2017 22:43:14 +0000
To: public-webauthn@w3.org
Message-ID: <issue_comment.created-328679610-1505169784-sysbot+gh@w3.org>
As has been discussed in the corresponding FIDO 2.0 CTAP issue https://github.com/fido-alliance/fido-2-specs/issues/200, the recipient can't assume that the content is canonical CBOR even if it's specified that it must be. That imposes additional validation steps that the authenticator must perform that otherwise would not be necessary. This seems like a "false savings" to me, as many of the canonicalization features add no value for this use case.

GitHub Notification of comment by selfissued
Please view or discuss this issue at https://github.com/w3c/webauthn/issues/455#issuecomment-328679610 using your GitHub account
Received on Monday, 11 September 2017 22:43:07 UTC

This archive was generated by hypermail 2.4.0 : Tuesday, 5 July 2022 07:26:27 UTC