- From: Adam Langley via GitHub <sysbot+gh@w3.org>
- Date: Fri, 15 Sep 2017 19:09:32 +0000
- To: public-webauthn@w3.org
I did some more testing with existing FIDO U2F tokens over the weekend and found two (with completely separate firmware) that got into such a bad state after processing an invalid key handle that they needed a power cycle to get back to normal operation. No amount of care in a specification can address issues like that, but it does suggest that we can expect a very low level of testing on these devices, which will then be out in the world and very hard to fix. Thus I expect that a "required" subset of CBOR will appear even if not intended: it'll be roughly whatever major implementations emit, because going outside of that will hit various bugs. As an example, TCP options have a very simple tag/value format but, if you don't send some of them in the same order as Windows, then your packets will get dropped by a small (but painful) fraction of networking hardware. -- GitHub Notification of comment by agl Please view or discuss this issue at https://github.com/w3c/webauthn/issues/455#issuecomment-329873558 using your GitHub account
Received on Friday, 15 September 2017 19:09:24 UTC