[webauthn] Provide the public key in `AuthenticatorAttestationResponse` (#1363) from Adam Langley via GitHub on 2020-01-22 (public-webauthn@w3.org from January 2020)

From: Adam Langley via GitHub <sysbot+gh@w3.org>
Date: Wed, 22 Jan 2020 22:08:44 +0000
To: public-webauthn@w3.org
Message-ID: <issues.opened-553823033-1579730923-sysbot+gh@w3.org>

agl has just created a new issue for https://github.com/w3c/webauthn:

== Provide the public key in `AuthenticatorAttestationResponse` ==
The public key for a freshly created credential is provided inside of the [attestation object](https://w3c.github.io/webauthn/#dom-authenticatorattestationresponse-attestationobject). However, that is a somewhat complex format that involves decoding CBOR in order to read the public key. If a site doesn't care about attestation (as many won't) we might usefully be able to have browsers provide fields of this structure more directly.

Assumption: absent attestation, web site implementations wouldn't need CBOR if we did this. This appears to be true at first glance since the [authenticator data](https://w3c.github.io/webauthn/#authenticator-data) is a fixed-offset binary format (not including extensions).

A reason not to do this would be that it encourages sites to depend on these additional fields, which will only be available in newer browsers. Thus people with older browsers might not be able to use WebAuthn, even though they could if sites put in more work. However, this argument applies to any such ergonomic improvement to the API and so, if we buy it, we're forced to conclude that they're mostly a bad idea as a class. 

Please view or discuss this issue at https://github.com/w3c/webauthn/issues/1363 using your GitHub account

Received on Wednesday, 22 January 2020 22:08:46 UTC