Fwd: Double-check WebAuthn buffersource issue resolution - Issue #294 from =JeffH on 2018-10-03 (public-webauthn@w3.org from October 2018)

From: =JeffH <Jeff.Hodges@Kingsmountain.com>
Date: Wed, 3 Oct 2018 11:35:09 -0700
To: W3C WebAuthn WG <public-webauthn@w3.org>
Message-ID: <fd45d561-cc32-f194-20d7-261f5b1a77d2@Kingsmountain.com>

the WebAuthn issue is https://github.com/w3c/webauthn/issues/294 -- 
which we closed because we added Notes to the spec wrt copying 
buffersources.

However, this is actually a credential-management (CredMan) issue 
because we are already async when webauthn's [[Create]]() or 
[[DiscoverFromExternalSource]]() are called by credential-management's 
navigator.credentials.create() or navigator.credentials.get(), respectively.

See:
copy (aka snapshot) any buffersources in options before going async
<https://github.com/w3c/webappsec-credential-management/issues/128>

The below is the current state of my and JC's discussion wrt the 
language to use in CredMan to resolve this:

-------- Forwarded Message --------
In-Reply-To:  <72b6bd97-e85b-065a-eedd-31ca923117bf@Kingsmountain.com>
From:  J.C. Jones <jc@mozilla.com>
Date:  Fri, 28 Sep 2018 15:10:12 -0700
Subject:  Re: Fwd: Double-check WebAuthn buffersource issue resolution - 
Issue #294
To:  =JeffH <Jeff.Hodges@kingsmountain.com>
Cc:  Hodges, Jeff <netwerkeddude@gmail.com>

Yeah, there's no definition I could find for a deep copy. Serialization 
seemed the best analog, followed by transferable-ness, but ugh, I didn't 
realize you couldn't serialize dictionaries.

I wonder if one could say something like, "a deep copy, such as by 
recursively cloning fields, except for BufferSource objects where one 
will need acopy of the bytes held by the buffer source".....

On Fri, Sep 28, 2018 at 2:12 PM =JeffH <Jeff.Hodges@kingsmountain.com 
<mailto:Jeff.Hodges@kingsmountain.com>> wrote:

     On Fri, Sep 28, 2018 at 9:19 AM =JeffH
       > offhand, I have a hunch the approp fix can be done in credman...

     On 9/28/2018 9:49 AM, J.C. Jones wrote:
       > It might need to, yes. Before we go async.

     see https://github.com/w3c/webappsec-credential-management/issues/128

       > So 
https://w3c.github.io/webappsec-credential-management/#algorithm-
       > create a new step after step 7 before 8  should say something like:
       >
       > Let copiedOptions be a deep copy of options, where all BufferSource
       > objects are a copy of the bytes held by the buffer source
       > <https://heycam.github.io/webidl#dfn-get-buffer-source-reference>.

     offhand, that seems like it _might_ work, however a "deep copy"
     operation/notion does not seem to be  _explicitly_ defined in the
     context of WebIDL and HTML?

       > This MAY be accomplished by serializing and deserializing
       > <https://html.spec.whatwg.org/#serializable-objects> options.

     that seems like it also _might_ work, but since
     CredentialCreationOptions and CredentialRequestOptions are dictionaries
     and <https://html.spec.whatwg.org/#serializable-objects> essentially
     says only interfaces are serializable, this seems to be not
     appropriate,
     yes?

     Also, is the suggestion here that credman's alg would serialize
     options,
     and pass the resultant bytes to the internal method ( eg, [[Create]]()
     ), and then within internal method's implementation (eg supplied by
     WebAuthn), it would deserialize those "options bytes" back into an
     options dictionary?

     thanks,

     =JeffH

Received on Wednesday, 3 October 2018 18:44:46 UTC