Re: [webauthn] AttestationResponse vs AssertionResponse

@apowers313 wrote: 
> There is no functional reason to return a CBOR map for attestations and an object for assertions...

actually, IIUC, [`AuthenticatorAttestationResponse`](https://www.w3.org/TR/webauthn/#authenticatorattestationresponse) will be a javascript object containing two byte arrays, one of which ([`clientDataJSON`](https://w3c.github.io/webauthn/#dom-authenticatorresponse-clientdatajson)) is JSON-serialized data, the other ([`attestationObject`](https://www.w3.org/TR/webauthn/#fig-attStructs)) is as you note a CBOR-encoded binary object. I do not see how this is markedly different from the [`AuthenticatorAssertionResponse`](https://www.w3.org/TR/webauthn/#iface-authenticatorassertionresponse) which will be a JS object containing three byte arrays. 

We adopted the CBOR-encoded [`attestationObject`](https://www.w3.org/TR/webauthn/#fig-attStructs) as part of coalescing the [authenticator data](https://www.w3.org/TR/webauthn/#authenticator-data) with the attestation statement, while accommodating variable-length authenticator data and multiple [attestation  statement formats](https://www.w3.org/TR/webauthn/#attestation-statement-format) and various other nuances, and with the goal of having the client not need to understand or parse the attestationObject. See omnibus PR #321 from early 2017.

@emlun is correct that now with the advent of [`AttestationConveyancePreference`](https://www.w3.org/TR/webauthn/#enumdef-attestationconveyancepreference), the client is obliged by default to parse and alter portions of the `attestationObject`.  Oh well.

At this late stage, I am generally not in favor of making any further changes to these structures/objects. They're implemented and queued to ship and we've demonstrated interoperability. 

WRT @arnar's comment regarding authnrs returning CBOR maps with integer keys -- I'm not sure that's correct, see https://github.com/fido-alliance/fido-2-specs/issues/501#issuecomment-377045760




-- 
GitHub Notification of comment by equalsJeffH
Please view or discuss this issue at https://github.com/w3c/webauthn/issues/854#issuecomment-377070738 using your GitHub account

Received on Wednesday, 28 March 2018 23:25:35 UTC