W3C home > Mailing lists > Public > public-webauthn@w3.org > April 2020

Re: [webauthn] Add more requirements for ClientDataJSON serialisation. (#1375)

From: Jer Miller via GitHub <sysbot+gh@w3.org>
Date: Wed, 15 Apr 2020 18:55:24 +0000
To: public-webauthn@w3.org
Message-ID: <issue_comment.created-614219085-1586976922-sysbot+gh@w3.org>
As an outsider to this process (though one with some protocol design experience), this entire proposal/workaround seems deeply dangerous at worst, and an ugly wart at best.

There should be _no_ justification for not requiring a standard JSON serializer and parser, that is just asking for unknown and unforeseen trouble in a spec.  JSON is used in all manners of security sensitive and even constrained protocols.

Asking implementors to do *manual* serialization of part of a JSON document is almost guaranteed to result in one or more vulnerabilities.  I’m disappointed that anyone from SSH is even asking for or expecting this kind of compromise just for their benefit.  There are many formal and audited codebases that include JSON parsers, and even some parsers that will tokenize side-effect free without any memory allocations/operations.

It took a lot for me to decide to say something here after this was pointed out to me since I’ve not participated in any of these processes and don’t have a full background, so I’ll understand if I’m off track.  What I’ve read here though was shocking enough that I felt compelled to speak just in case I’m not the only observer who has these concerns and hope that the whole spec isn’t cobbled by a single particularly stubborn use-case.

-- 
GitHub Notification of comment by quartzjer
Please view or discuss this issue at https://github.com/w3c/webauthn/pull/1375#issuecomment-614219085 using your GitHub account
Received on Wednesday, 15 April 2020 18:55:26 UTC

This archive was generated by hypermail 2.4.0 : Tuesday, 5 July 2022 07:26:40 UTC