[webauthn] Certain issues in client extension pass-through specification (#1273) from Peter Occil via GitHub on 2019-08-10 (public-webauthn@w3.org from August 2019)

From: Peter Occil via GitHub <sysbot+gh@w3.org>
Date: Sat, 10 Aug 2019 06:08:00 +0000
To: public-webauthn@w3.org
Message-ID: <issues.opened-479232649-1565417278-sysbot+gh@w3.org>

peteroupc has just created a new issue for https://github.com/w3c/webauthn:

== Certain issues in client extension pass-through specification ==
There are two issues with Section 9, which discusses how clients pass through unrecognized extensions.

1.  In the algorithm for converting client extension inputs to CBOR, section 9 currently says: "When the JavaScript value _is a non-integer number_, it is converted to a 64-bit CBOR floating point number."  But until recently, JavaScript has only one number type, namely a 64-bit floating-point number of the class `Number`, and no integer types such as 32- or 64-bit integers.  And currently, of the defined WebAuthn extensions, only biometricPerfBounds includes number types, namely `float`, in client extension inputs. This suggests to me that—

    - section 9 can simply say "When the JavaScript value is a `float` [or `float` or `double`]..." rather than "When the JavaScript value is a non-integer number", and
    - WebAuthn should discourage new extension definitions that use any number type other than float (or `double`) in their client extension inputs (due to the [lack of a threshold](https://github.com/w3c/webauthn/issues/1044) above which integers are converted to floating-point numbers rather than CBOR integers).

2.  When a client passes through an unrecognized extension, the special cases for ArrayBuffers, non-integer numbers, and CBOR byte strings are probably intended to apply when those values appear as keys and values of arrays and maps, not just when they stand alone (one possible interpretation due to how this section incorporates RFC7049 by reference).  This can be addressed, for example, by adding text as follows: "However, if the JavaScript value contains ArrayBuffers and/or non-integer numbers [contains ArrayBuffers, `float`s, and/or `double`s], they are converted as described above rather than as given in that section."

Please view or discuss this issue at https://github.com/w3c/webauthn/issues/1273 using your GitHub account

Received on Saturday, 10 August 2019 06:08:02 UTC