Re: [webauthn] Use of CBOR, and Uint8Array/ArrayBuffer (#1362)

I do see your point, especially in regards to backwards compatibility, but ArrayBuffers are a pain to send to the server (where they will ultimately need to be sent).

Which is where I'm intrigued by the suggestion of a HTML element, one that does not need any JavaScript, and could be polyfilled by JavaScript on older browsers (addressing the backwards compatibility issue).

I think that HTML element should make a POST request to the server, using JSON encoding, and base64 encoding for any binary data.

At the moment I'm thinking a normal `<input type="submit" name="auth" value="Create" />` (so something appears for older browsers, when a polyfill fails), then adding one of two new attributes (`credential-create=""` or `credential-get=""`) where their content sets the options (also using JSON).

Then, along with the public key being in an easier to use format (maybe PEM), it would be nice to have easy access to all of the other values (rpIdHash, flags, and signCount).



    $options = {
        "publicKey": {
            "rp": {
                "name": "Test Website",
                "id": ""
            "user": {
                "id": "MTIzNA==", // A Base64 encoded value (1234), not Uint8Array
                "name": "",
                "displayName": "Craig Francis"
            "challenge": "txHXB+K0cQFlWLhBOd0jvHSBCd4aJv8I5X0Z7U7ElGU=", // A Base64 encoded value, not Uint8Array
            "pubKeyCredParams": [
                    "type": "public-key",
                    "alg": -7
            "timeout": 10000,
            "attestation": "none",
            "excludeCredentials": [
            "userVerification": "discouraged"

    <form action="/path/" method="post">
        <input type="submit" name="auth" value="Create" credential-create="<?= htmlentities(json_encode($options)) ?>" />


POST Response:

    $auth = {
        "id": "mGYJM5RrXM1bwWlIvOewnjOAJ1Y4OmmDyMZ5tkdJCcWCay1RktHcfQvpDB4OIw9UsqntFx1FGJDCugyQTTFnrg",
        "type": "public-key",
        "auth": {
            "rpIdHash": "afb64c14d8723ef066d1e108dd60adec30447611664958a5587cdf806ba5ab6b",
            "flags": {
                "UP": true,
                "RFU1": false,
                "UV": false,
                "RFU2a": false,
                "RFU2b": false,
                "RFU2c": false,
                "AT": true,
                "ED": false
            "signCount": 0,
            "attestedCredentialData": {
                "aaguid": "AAAAAAAAAAAAAAAAAAAAAA==",
                "credentialId": "mGYJM5RrXM1b",
                "publicKey": {
                    "type": 2,
                    "algorithm": -7,
                    "curve_type": 1,
                    "curve_x": "uELJlQrFdsxGjthRcbrcNwMKDGbsaEoP4T5T6JBdGQM=",
                    "curve_y": "XBZY+ZCfmnQia65ZO17sHuD0FkUoAwIbE39G/EfChjI=",
                    "pem": "-----BEGIN PUBLIC KEY-----\nMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEuELJlQrFdsxGjthRcbrcNwMKDGbs\naEoP4T5T6JBdGQNcFlj5kJ+adCJrrlk7Xuwe4PQWRSgDAhsTf0b8R8KGMg==\n-----END PUBLIC KEY-----"
            "extensions": null
        "response": {
            "clientDataJSON": "eyJjaGFsbGVuZ2UiOiJ0eEhYQi1LMGNRRmxXTGhCT2QwanZIU0JDZDRhSnY4STVYMFo3VTdFbEdVIiwib3JpZ2luIjoiaHR0cHM6Ly9icm93c2VyLndlYmF1dGhuLmVtbWEuZGV2Y2YuY29tIiwidHlwZSI6IndlYmF1dGhuLmNyZWF0ZSJ9",
            "attestationObject": ""

GitHub Notification of comment by craigfrancis
Please view or discuss this issue at using your GitHub account

Received on Thursday, 23 January 2020 00:33:35 UTC