W3C home > Mailing lists > Public > public-webauthn@w3.org > August 2018

Re: [webauthn] `authData` in attestation vs `authenticatorData` in assertion naming?

From: Emil Lundberg via GitHub <sysbot+gh@w3.org>
Date: Fri, 17 Aug 2018 11:29:11 +0000
To: public-webauthn@w3.org
Message-ID: <issue_comment.created-413837038-1534505350-sysbot+gh@w3.org>
It's not quite a duplicate of #892 - that issue was just about the variable names used in the algorithm specifications, not the names of the members in the data structures. Basically, this asymmetry is a remnant from earlier design decisions.

I think the main reason for this asymmetry is that the member name `authData` in the attestation statement is included in the CBOR object returned from the authenticator, and the length of the member name thus impacts the size of the message that needs to be transmitted over a perhaps limited-bandwidth channel. `authenticatorData` on the other hand is transmitted without a name, so its length does not impact the size of the message.

In truth, though: at this time the above is a pretty weak argument since CTAP actually uses the single byte `0x01` as the key for the `authData` member, which the client then repackages with the string `authData` as the key instead (this is possible since the member name is not signed over) - see #864.

Anyway, fixing the asymmetry at this point would be a breaking change we don't want to make. It could be worth considering for L2, though.

-- 
GitHub Notification of comment by emlun
Please view or discuss this issue at https://github.com/w3c/webauthn/issues/1043#issuecomment-413837038 using your GitHub account
Received on Friday, 17 August 2018 11:29:12 UTC

This archive was generated by hypermail 2.4.0 : Friday, 17 January 2020 18:58:54 UTC