W3C home > Mailing lists > Public > public-webauthn@w3.org > September 2017

Re: [webauthn] Consider requiring canonical CBOR throughout

From: Adam Langley via GitHub <sysbot+gh@w3.org>
Date: Fri, 15 Sep 2017 19:09:32 +0000
To: public-webauthn@w3.org
Message-ID: <issue_comment.created-329873558-1505502562-sysbot+gh@w3.org>
I did some more testing with existing FIDO U2F tokens over the weekend and found two (with completely separate firmware) that got into such a bad state after processing an invalid key handle that they needed a power cycle to get back to normal operation.

No amount of care in a specification can address issues like that, but it does suggest that we can expect a very low level of testing on these devices, which will then be out in the world and very hard to fix.

Thus I expect that a "required" subset of CBOR will appear even if not intended: it'll be roughly whatever major implementations emit, because going outside of that will hit various bugs. As an example, TCP options have a very simple tag/value format but, if you don't send some of them in the same order as Windows, then your packets will get dropped by a small (but painful) fraction of networking hardware.

GitHub Notification of comment by agl
Please view or discuss this issue at https://github.com/w3c/webauthn/issues/455#issuecomment-329873558 using your GitHub account
Received on Friday, 15 September 2017 19:09:24 UTC

This archive was generated by hypermail 2.4.0 : Tuesday, 5 July 2022 07:26:27 UTC